As the digital landscape continues to expand, the importance of cybersecurity awareness training within the workplace has become undeniable. Businesses are increasingly vulnerable to cyberattacks, many of which stem from simple human error. Nearly three-quarters of all breaches can be traced back to preventable actions by employees, making it clear that organizations must prioritize education around digital security.
Cybercriminals are constantly developing new, more sophisticated tactics. Phishing attacks, credential theft, social engineering, and ransomware are only a few examples of how hackers exploit individuals rather than focusing solely on system vulnerabilities. The rise of remote and hybrid work environments has further complicated the matter, opening up new vectors for attack. Employees working from home often use unsecured networks, weak passwords, or personal devices, each of which can introduce substantial risks to the organization.
While investing in technical security infrastructure such as firewalls, intrusion detection systems, and anti-virus programs is essential, these measures are not enough on their own. A single compromised user can nullify an entire security framework. For this reason, cybersecurity awareness training is not a luxury or a one-time orientation—it is an ongoing requirement for a secure enterprise.
A well-designed training program does more than protect information. It empowers employees by giving them the confidence and skills to act as the first line of defense. Security becomes a shared responsibility, embedded in the culture of the organization. Employees who are well-informed are not just less likely to make mistakes—they are more likely to recognize threats and respond proactively.
Core Elements of Cybersecurity Awareness Training
Effective cybersecurity awareness training must be structured, consistent, and engaging. A fragmented approach will not yield the behavior change organizations need. For training to produce results, it must cover key threat areas, adapt to evolving risks, and be applicable to real-world scenarios employees face every day.
Cybersecurity awareness should begin with a comprehensive overview of why cybersecurity matters to the organization. This sets the foundation for why every role in the company, from entry-level to executive, has a stake in maintaining digital security. The most effective programs contextualize threats in terms of business impact—such as downtime, financial loss, legal penalties, or reputation damage—making it easier for employees to grasp the real-world implications of their actions.
The next step is to break down the types of threats employees are likely to encounter. These typically include phishing scams, password attacks, unsafe browsing habits, email fraud, and mobile vulnerabilities. Each topic should be presented in plain language with examples relevant to the employee’s work environment. Use of role-play or simulation can be highly effective in reinforcing these lessons.
Importantly, training must emphasize that cybersecurity is a shared responsibility. It should instill a sense of ownership among employees for their digital actions. When staff recognize their power to prevent incidents, the workplace becomes safer and more vigilant. Creating this culture requires consistency. Cybersecurity should be part of regular conversations, not just once-a-year events.
Designing Cybersecurity Awareness Training for Maximum Impact
The first step in designing a robust cybersecurity awareness training program is assessing your organization’s unique risk profile. This includes analyzing the systems you use, the industries you operate within, and the kinds of data you handle. For example, healthcare and finance organizations may need more rigorous protections due to the sensitive nature of the information they process.
Following this assessment, you can begin to outline your training objectives. The overarching goal should be to minimize the human risk factor. More specifically, your training should help employees identify and respond to threats, understand corporate policies, and practice safe behavior both online and offline.
Next, determine the scope of your training. Every program should begin with foundational topics—such as phishing awareness, safe password practices, and secure browsing—and then evolve to cover advanced areas like insider threats, remote work security, and privacy regulations. Keep the content modular so it can be tailored to specific roles and departments.
Delivery methods are another critical consideration. Traditional seminars or long-form lectures are rarely effective on their own. Adults learn best through active engagement. Combine methods such as interactive e-learning, scenario-based simulations, short video lessons, and real-time phishing drills. These strategies help employees retain knowledge and apply it in their day-to-day work.
Evaluation should be built into the training from the beginning. Use quizzes, practical assessments, and behavioral observations to measure progress. This data will allow you to identify knowledge gaps and revise the training accordingly. Over time, your metrics should show improvements in awareness, responsiveness, and reporting behavior.
Phishing Awareness: The Front Line of Cyber Defense
Phishing remains one of the most common and effective cyberattack techniques. In a typical phishing attempt, an attacker sends an email or message that appears to come from a trusted source. It might contain a malicious link, a fraudulent invoice, or a request for sensitive credentials. Once the recipient interacts with the message, the attacker may gain unauthorized access to systems or data.
Many employees believe they are capable of recognizing phishing emails, but the truth is that attackers are becoming increasingly sophisticated. They often personalize messages using details gleaned from public sources, making them more convincing. As artificial intelligence tools become more accessible to threat actors, the volume and quality of phishing attempts are likely to rise.
Training should begin by showing employees how to recognize the common features of phishing messages. These might include suspicious sender addresses, grammatical errors, urgency or threats, and unexpected attachments. Employees should also be taught to verify requests for sensitive information using alternate channels.
However, detection is only one part of the equation. Employees must also know what to do when they receive a phishing message. Immediate reporting allows IT teams to act quickly, preventing others from falling into the same trap. Some organizations establish a dedicated phishing report button in email clients to streamline this process.
The effectiveness of phishing training increases significantly when combined with simulated phishing tests. These tests involve sending mock phishing emails to employees to assess how they respond. Employees who click on the simulated phishing links are provided with instant feedback and directed to a refresher module. These tests both reinforce training and help track overall risk levels in the workforce.
Password Security and Access Control
Password security is fundamental to maintaining a strong cybersecurity posture. Unfortunately, many breaches occur because employees reuse passwords across platforms or choose passwords that are easy to guess. Cybercriminals use automated tools to crack weak passwords, gaining unauthorized access to systems that may contain sensitive or proprietary information.
Training should begin by outlining the characteristics of strong passwords. These should include a mix of upper- and lowercase letters, numbers, and special characters, and be at least eight to twelve characters long. Employees must also be taught never to share their passwords with anyone, including internal helpdesk staff.
One of the most effective ways to enforce password hygiene is to promote the use of password managers. These tools generate, store, and autofill secure passwords for different accounts, reducing the risk of password reuse. Training should include a demonstration of how to use a password manager safely.
Beyond password composition, organizations should introduce the concept of access control. Employees should understand that systems and data must be accessed only on a need-to-know basis. The principle of least privilege ensures that users only have access to the resources they require to perform their duties. This limits the damage that can occur if an account is compromised.
Another crucial element is multi-factor authentication (MFA). MFA adds an extra layer of security by requiring users to verify their identity using a second factor, such as a mobile app, a text code, or a biometric identifier. Employees should be educated on the importance of enabling MFA wherever possible, especially for remote access or cloud-based services.
Safe Internet and Email Practices
Internet and email use are essential for everyday business operations, but they also represent significant attack surfaces. Unsafe browsing behaviors or reckless email handling can expose the organization to malware, data theft, or ransomware.
Training should focus on teaching employees how to browse the internet safely. This includes verifying URLs before clicking, avoiding unfamiliar or unsecured websites, and being cautious about downloads. Modern browsers can help by flagging potentially dangerous sites, but users must still exercise judgment.
Employees should be instructed to keep their browsers and plugins up to date, as outdated software often contains exploitable vulnerabilities. Similarly, the use of unauthorized browser extensions should be discouraged, as they can introduce security and privacy risks.
Email hygiene is just as critical. Aside from phishing, email can be used to distribute malware through infected attachments or links. Employees should be trained to view every unsolicited email with skepticism and report anything unusual. A simple rule—never open attachments or click links from unknown sources—can prevent a wide range of attacks.
Organizations should also establish policies for email communication. For example, sensitive data should never be sent via unencrypted email. Employees should also avoid using personal email accounts for work-related communication. These habits help prevent data leaks and preserve organizational integrity.
Mobile Device Security in a Connected World
The widespread adoption of mobile devices in the workplace has created new opportunities for productivity but also new challenges for security. Laptops, tablets, and smartphones frequently store sensitive information and access corporate resources. If a device is lost, stolen, or compromised, the consequences can be severe.
Training should emphasize that mobile devices must be treated with the same level of security as desktop computers. This includes setting strong passwords or biometric locks, enabling remote wipe capabilities, and installing security updates promptly. Devices should never be left unattended in public areas or shared with unauthorized users.
Employees should be made aware of the risks associated with public Wi-Fi. Unsecured networks can allow attackers to intercept communications or inject malicious software. Best practices include disabling automatic Wi-Fi connections and using Virtual Private Networks (VPNs) to encrypt traffic.
The use of personal devices for work purposes—often called Bring Your Own Device (BYOD)—adds another layer of complexity. Organizations must implement BYOD policies that define acceptable use, security requirements, and data ownership. Employees should be required to install endpoint protection and comply with remote management protocols.
Training should also cover the proper handling of mobile apps. Employees should only install apps from trusted sources and be cautious about granting permissions. Some apps may access contact lists, files, or location data that could pose privacy risks. A basic understanding of mobile security settings and app management goes a long way in protecting both personal and organizational data.
Network security forms the backbone of an organization’s IT infrastructure. While the technical implementation is typically the responsibility of IT teams, all employees must understand the basics to avoid inadvertently weakening the system. A single user connecting an unsecured device to a corporate network or falling for a man-in-the-middle attack can have widespread consequences.
Training should begin by explaining the importance of secure networks in maintaining business continuity and protecting sensitive data. Employees should be taught to recognize different types of network threats, such as spoofing, sniffing, and unauthorized access. Each concept should be paired with examples of real-world incidents to emphasize the potential impact.
A vital component of network security awareness is educating staff about the importance of secure Wi-Fi usage. Employees working remotely or in hybrid environments must understand how to identify secure connections and avoid public or open Wi-Fi networks whenever possible. If public networks must be used, VPNs should be mandatory to encrypt communication.
Another area of concern is the growing number of Internet of Things (IoT) devices connected to corporate networks. These can include everything from smart printers to connected cameras. Employees should be taught that these devices must be properly configured, regularly updated, and monitored for suspicious behavior. Unsecured IoT devices are often targeted as entry points by cybercriminals.
Network segmentation and access controls should also be explained at a basic level. Employees may not be responsible for managing these systems, but understanding why certain resources are restricted or monitored helps foster compliance. When staff understand that segmentation protects them and the business, they are more likely to follow protocols willingly.
Understanding Data Privacy Regulations and Compliance
Data privacy has moved to the forefront of cybersecurity due to the rise in global data protection laws. Regulations such as the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and others mandate how organizations handle personal and sensitive information. Non-compliance can result in hefty fines, legal action, and loss of customer trust.
Cybersecurity awareness training must include an overview of relevant privacy laws that apply to the business. While legal teams typically handle compliance strategy, all employees who process personal data have a role to play. The training should explain what constitutes personal data, how it must be protected, and what steps must be taken in the event of a data breach.
One of the most important practices employees must follow is data minimization. This means collecting only the data that is necessary for a specific task and ensuring it is stored securely. Staff should also understand the concept of data lifecycle management—when data is created, how it is used, where it is stored, and when it should be deleted.
Consent management is another area where employees may be involved. For example, marketing staff collecting emails for newsletters must understand how to obtain and record valid consent. They must also be trained on how to respond to requests from individuals seeking to access, modify, or delete their personal data.
Employees should be trained to recognize data privacy violations, whether accidental or intentional. Sending unencrypted personal information via email, sharing data across departments without proper authorization, or using unsecured file-sharing platforms all constitute potential compliance risks. Prompt reporting and corrective action are essential in mitigating harm.
Malware and Ransomware Prevention
Malware—including viruses, worms, spyware, and ransomware—remains a significant threat to organizations. These malicious programs can cause system outages, corrupt data, and in the case of ransomware, hold entire systems hostage until a payment is made. Understanding how malware spreads and how to prevent it is critical for every employee.
Training should start with an overview of how malware typically enters a system. Common vectors include malicious email attachments, infected downloads, compromised websites, and removable media like USB drives. Employees must be taught to avoid opening unknown files, clicking on suspicious links, or using unauthorized external devices.
Ransomware deserves special attention due to its growing prevalence and devastating consequences. Employees should be educated on how ransomware operates—usually by encrypting files and demanding payment in cryptocurrency—and how it can be triggered by something as simple as a single click.
Preventative strategies must be emphasized. These include keeping software and systems up to date, running reputable antivirus software, and avoiding administrative privileges unless absolutely necessary. Employees should also be trained on how to respond if they suspect malware activity: disconnect from the network, report immediately, and avoid interacting further with the infected system.
In addition, emphasize the importance of regular backups. Employees should know where their data is stored, how it is backed up, and how recovery processes work. This knowledge is crucial in case of a ransomware attack where restoring systems from backups is often the safest response.
Identifying and Preventing Insider Threats
Not all cybersecurity threats come from external actors. Insider threats—whether malicious or accidental—pose a unique challenge because they often involve individuals with legitimate access to systems and data. These threats can originate from disgruntled employees, negligent behavior, or even third-party vendors with access rights.
Training should help employees recognize the signs of insider threats. These may include unusual access patterns, repeated policy violations, attempts to bypass security protocols, or changes in behavior. Employees must be encouraged to report suspicious activity, even if it involves a peer or supervisor. A clear, confidential reporting process must be established.
Employees should also be aware of how their actions might unintentionally contribute to an insider threat. Sending confidential files to the wrong recipient, leaving sensitive documents unattended, or failing to log out of shared systems can all lead to data breaches. These mistakes, though unintentional, can be just as damaging as deliberate sabotage.
Access management and separation of duties are critical concepts here. Employees should understand that restricted access is not about mistrust but about limiting exposure in case of error or compromise. They should also be reminded not to share credentials or access codes, even with trusted colleagues.
Contractors, freelancers, and vendors should be included in the training program. Anyone with access to company systems or data must adhere to the same cybersecurity standards as internal employees. Third-party risk assessments and ongoing audits can help mitigate these risks.
Creating a Culture of Cybersecurity
Perhaps the most vital element of a successful cybersecurity awareness program is creating a security-first culture. Cybersecurity cannot be viewed as the sole responsibility of the IT department. Instead, it must be woven into the organization’s values, policies, and daily operations.
To build this culture, leadership must model strong cybersecurity behaviors. When executives follow policies, complete training, and actively engage in awareness efforts, it sends a powerful message to the rest of the organization. Conversely, if leaders ignore protocols or exempt themselves from requirements, it undermines the entire initiative.
Regular communication is key. Cybersecurity topics should be included in internal newsletters, team meetings, and employee onboarding. Use simple language, avoid jargon, and focus on actionable tips. Celebrating small wins—such as increased phishing report rates or improved password compliance—reinforces positive behavior.
Gamification can also play a role in sustaining engagement. Quizzes, challenges, and recognition programs help keep cybersecurity awareness top-of-mind. For example, awarding a “Security Star of the Month” encourages friendly competition while reinforcing good habits.
Training should be an ongoing effort, not a one-time event. The threat landscape evolves rapidly, and so should your awareness program. Annual training sessions must be supplemented with periodic refreshers, updated content, and alerts about emerging threats.
Finally, organizations must listen to employee feedback. If certain training formats are not resonating, or if policies are too cumbersome, make adjustments. A cybersecurity culture that includes transparency, collaboration, and shared ownership is more resilient and more effective.
Incident Response Procedures and Employee Roles
Despite the best preventive measures, cybersecurity incidents can and do occur. How an organization responds in the critical first moments after a breach can determine the extent of the damage. That’s why every employee must understand their role in the incident response plan, even if they’re not part of the IT or security teams.
Training should begin by introducing the concept of an incident response plan (IRP). This structured approach defines the steps to be taken when a cybersecurity event is detected. The IRP typically includes phases such as preparation, detection, containment, eradication, recovery, and lessons learned.
Employees should be made aware of the types of incidents that require immediate reporting. These include suspected phishing emails, lost or stolen devices, unauthorized system access, malware infections, or accidental disclosure of sensitive information. Training should emphasize that delays in reporting—even just a few hours—can escalate the impact dramatically.
Clear communication channels are essential. Employees must know whom to contact and how. Whether it’s an internal helpdesk, an IT security team, or a dedicated cybersecurity hotline, response procedures must be simple, accessible, and well-documented. Posters, cheat sheets, or desktop guides can help reinforce these contact points.
Employees should also be instructed on what not to do during a potential incident. For example, they should avoid deleting suspicious emails, turning off compromised machines, or attempting to “fix” the problem on their own. Preserving evidence is crucial for investigation and containment. Tampering with files or systems—even with good intentions—can interfere with forensic analysis.
Post-incident communication is also part of awareness. After a breach or near-miss, affected employees should receive updates, guidance on protecting themselves, and any changes in procedures. This reinforces a culture of transparency and improvement, rather than blame and fear.
Compliance Auditing and Policy Enforcement
Cybersecurity policies are only effective if they are followed, and regular auditing is the mechanism that ensures compliance. While audits are typically conducted by specialized teams, employees across all departments must understand the policies and how they are enforced.
Training should familiarize employees with key internal policies such as acceptable use, password requirements, data handling procedures, mobile device usage, and remote access guidelines. Each policy should be tied to the specific risks it mitigates, helping staff understand the “why” behind the rule.
Audits may include random checks, scheduled reviews, or automated scans for policy violations. Employees should be prepared for these activities and understand that audits are part of a healthy cybersecurity program, not a form of punishment. When approached as collaborative opportunities for improvement, audits can actually strengthen trust in the organization.
Consequences for non-compliance should be clear but proportionate. Minor infractions might result in additional training or a policy review, while repeated or serious violations may require disciplinary action. Training should emphasize that policies apply to all levels of the organization, including leadership, and that no one is exempt from accountability.
Metrics from audits should be shared in a de-identified manner to highlight areas of strength and improvement. Transparency builds confidence and allows employees to see how their behaviors contribute to organizational outcomes. Recognizing departments with strong compliance can also serve as a motivational tool.
Measuring the Effectiveness of Cybersecurity Awareness Training
Training is only as good as the results it delivers. That’s why every cybersecurity awareness program must include a framework for measuring effectiveness. These metrics help identify gaps, optimize content, and demonstrate return on investment to leadership.
Training effectiveness can be assessed in several ways. Knowledge retention is often evaluated through quizzes or tests administered before and after training sessions. A significant improvement in scores indicates that employees are absorbing the material. However, knowledge alone does not guarantee behavior change.
Behavioral metrics are often more telling. These include how employees respond to simulated phishing attempts, whether they report suspicious messages, and whether they follow password guidelines or access control rules. A decrease in risky actions and an increase in proactive behavior are strong indicators of success.
Surveys and feedback forms also play an important role. Employees should be asked whether the training is understandable, relevant, and engaging. Open-ended feedback can reveal areas where the content may be confusing or where real-world scenarios are missing.
Another useful metric is incident volume and reporting speed. If employees are better trained, they may report incidents faster and more accurately, allowing IT to respond promptly. A reduction in the severity of incidents—due to faster containment—can also point to improved awareness.
Organizations should use dashboards to track these metrics over time. Trends can highlight whether awareness is growing or stagnating and which departments may need more targeted interventions. Regularly updating leadership with these insights helps sustain support for training initiatives.
Evolving Threats and Trends in Cybersecurity Awareness
Cybersecurity is an ever-changing field. As threats evolve, so too must awareness training. Organizations that fail to update their content risk leaving employees unprepared for the latest attack vectors. Modern training programs must be agile, data-driven, and forward-looking.
One of the most significant trends is the increasing use of artificial intelligence by both attackers and defenders. AI-powered phishing campaigns can generate highly personalized messages, making them more difficult to detect. Training must now address deepfakes, voice spoofing, and synthetic social engineering tactics that can mimic real people with alarming accuracy.
Cloud computing and SaaS adoption also require expanded training. Employees must understand how to safely use cloud-based tools, manage shared access, and store files in compliance with company policies. Misconfigurations in the cloud can lead to massive data exposures—often caused by simple user error.
Social media also continues to be a security concern. Training should remind employees about what information is appropriate to share online, how attackers mine social profiles for spear-phishing campaigns, and why oversharing—even unintentionally—can aid cybercriminals.
Another emerging area is the convergence of physical and digital security. With smart office devices, remote badge systems, and connected surveillance tools, a breach in physical security can lead to digital compromise, and vice versa. Awareness training should address these intersections, particularly for employees in facilities management or executive roles.
Finally, diversity and inclusion are beginning to shape how cybersecurity training is delivered. Not all employees learn the same way, and cultural or language barriers can affect training outcomes. Offering content in multiple languages, varying the delivery format, and ensuring accessibility for people with disabilities all help create a truly inclusive program.
Continuous Improvement and Future Readiness
Cybersecurity awareness is not a project with an endpoint—it is an ongoing discipline. Organizations must commit to a cycle of continuous improvement, ensuring that their workforce remains vigilant, informed, and equipped to deal with the threats of tomorrow.
This commitment begins with regular training updates. At a minimum, organizations should refresh their cybersecurity training annually, with additional modules released as needed to address emerging risks. Organizations in regulated industries may need to update more frequently to stay compliant.
Cross-functional collaboration is also essential. Security teams should work with HR, legal, compliance, and communications to ensure training is consistent, well-integrated, and reflective of the organization’s risk profile. Employee feedback should be collected regularly and acted upon to improve engagement and retention.
Leadership plays a pivotal role in the success of awareness programs. Executives must not only support cybersecurity initiatives financially but also embody them in practice. When employees see leadership participating in training and adhering to policies, it reinforces the importance of security as a shared value.
Finally, prepare for the unknown. Cyber threats will continue to evolve, often in unpredictable ways. By fostering a culture of curiosity, accountability, and resilience, organizations can empower their employees to become active defenders rather than passive liabilities. This mindset shift—from reactive compliance to proactive awareness—is the true measure of cybersecurity maturity.
Real-World Case Studies: Lessons in Cybersecurity Awareness
Using case studies in training helps employees see how cybersecurity incidents happen in the real world—and how they can be prevented. These examples provide valuable insights into the human factors behind data breaches and highlight the importance of awareness at every level of an organization.
Case Study 1: Phishing Attack at a Global Healthcare Provider
A healthcare organization suffered a major data breach after an employee clicked on a phishing email that appeared to come from an internal department. The email contained a link to a fake login page, where the employee unknowingly entered their credentials. The attacker then used the stolen login to access sensitive patient data.
Key takeaways:
- Even trusted-looking messages must be verified.
- Simulated phishing campaigns could have helped the employee spot red flags.
- Two-factor authentication (2FA) could have prevented unauthorized access.
Case Study 2: Ransomware at a Manufacturing Company
An employee at a mid-sized manufacturing firm connected a personal USB drive to a company computer, unknowingly introducing ransomware into the network. The malware encrypted critical files and shut down production for three days. The company paid the ransom to restore operations but still suffered financial and reputational damage.
Key takeaways:
- Policies around removable media were not clearly communicated.
- Employees must be trained on the dangers of unauthorized devices.
- Regular backups would have provided a recovery option without payment.
Case Study 3: Insider Threat in a Financial Institution
A departing employee at a financial firm retained access to confidential client data after leaving the company. They used this data in a competing business venture, resulting in a lawsuit and regulatory scrutiny. An investigation revealed that account deactivation protocols were delayed by several days.
Key takeaways:
- Timely revocation of access is critical during employee offboarding.
- Awareness about insider threats should extend to HR and management teams.
- Strong identity and access management systems are essential.
Tools and Resources for Ongoing Cybersecurity Awareness
A strong cybersecurity awareness program benefits from the support of external tools and educational resources. These can supplement internal training and help maintain engagement throughout the year.
Security Awareness Platforms
Platforms like KnowBe4, Proofpoint, and Infosec IQ offer customizable training content, simulated phishing tests, and reporting dashboards to track progress and identify gaps.
Cybersecurity News Sites
Encourage employees to follow trusted cybersecurity news sources, such as:
- Krebs on Security
- The Hacker News
- Threatpost
These resources help employees stay current with new threats and trends.
Government and Nonprofit Resources
National cybersecurity agencies and nonprofit groups offer free guides, posters, and training materials:
- National Institute of Standards and Technology (NIST)
- Cybersecurity and Infrastructure Security Agency (CISA)
- Stay Safe Online (powered by the National Cybersecurity Alliance)
Internal Communications and LMS Integration
Cybersecurity training should be integrated with internal learning management systems (LMS) where possible. Scheduled updates, reminders, and brief learning modules can be pushed directly to employees.
Incident Response Templates
Providing downloadable incident reporting forms or flowcharts can streamline the response process. Templates should outline who to contact, what to include in a report, and what not to do during an incident.
Gamified Learning Tools
Interactive apps and games like phishing simulators or escape room-style challenges help reinforce learning through real-time decision-making. These tools are especially effective for younger or digitally native employees.
Final Thoughts
Cybersecurity awareness is not just about rules and risks—it’s about empowering people. By giving employees the tools, knowledge, and support they need, organizations can transform their workforce into a powerful first line of defense.
Whether it’s spotting a phishing email, protecting customer data, or responding calmly during a breach, every small action adds up. With regular updates, leadership support, and a commitment to continuous learning, cybersecurity awareness becomes more than a program—it becomes a mindset.