Organizations are faced with a variety of ever changing information security risks. This study examines the state of information security, user groups and user roles responsible for and ISO/IEC domains required for risk mitigation in a large public organization in Canada. The objective is to develop a comprehensive risk and role based framework for an enterprise security awareness, training and education (SATE) program for ISO/IEC 27002 compliance with the intent to improve an existing SATE program in a large public organization. This paper discusses the results of an information security survey conducted in 2010 and describes the framework and its components and interactions. Significant findings of this study include: (1) a new and more comprehensive set of user roles within a user group for a SATE program not previously identified by the SANS Institute, (2) a significant number of new threats and vulnerabilities not previously identified in global and national information security surveys, (3) the use of a risk factor to prioritize what information security risks should be addressed in a SATE program, (4) the rationalization for the subject content in an enterprise SATE program and (5) a framework for a risk and role based enterprise SATE program for ISO/IEC 27002 compliance.