Welcome to NBlog, the NoticeBored blog

I may meander but I'm exploring, not lost

Jul 25, 2017

NBlog July 25 - glossary as an awareness tool

By coincidence, two of the professional groups/discussion forums I frequent have both been discussing terminology today.

It takes a particular personality type to enjoy discussing terminology, in depth. It requires both tight focus and a broad appreciation of the field. It helps to be well-read, since terms and concepts generally emerge from study or research that may be obscure. It helps also to be open-minded, since terminology is one of those things that fires-up experienced and knowledgeable colleagues: the passion is almost palpable! I'm not at all worried about being "put straight" by respected gray-beards - we all give as good as we get, part of the cut-n-thrust of professional discussion.

Some might consider us anally-retentive. 

On the other hand, the information content of language is critically dependent on the meanings, interpretations and implications of the words we use. In relatively new and complex areas such as information security, misunderstandings and confusion stemming from limited or inappropriate vocabulary can be inconsequential, mildly annoying or problematic, depending on the context. On top of that, language evolves naturally as a consequence of how it is used in social intercourse. There is plenty of wiggle-room. 

Anyway, today we've been discussing the meaning of about a dozen core terms of art in the field of information risk and security. Although I don't intend to expand on the definitions and discussion here, it's a chance to raise a more general point about awareness and training.

Explaining terminology is an important part of any decent awareness program or training course. It helps set the scene for both the audience and the authors/presenters/trainers. It differentiates relatively superficial from more in-depth approaches - the former gloss over the details anyway.

We maintain an extensive information security glossary, updating and re-issuing it every month in the course of developing each batch of awareness content. Any specialist terms used in the definitions are hyperlinked to their own definitions, making it interesting (fun even!) to follow one's nose from term to term, hopefully discovering and learning new stuff along the way. It reminds me of the joys of browsing dictionaries, encyclopedias and most of all Roger's Thesaurus when I was young (yes, a long, long time ago, pre-Google, when we thumbed through reference books made of a substance known as paper).

At the same time, I'm not a professional lexicographer. The glossary is a valuable working tool, not a formal academic treatise. We quote numerous "official" definitions from various "official" sources such as ISO/IEC 27000, but in most cases we add our own pragmatic definitions - particularly when the formal ones are too obscure, narrow or plain misleading for our purposes.

Here's a tiny extract to demonstrate its style:

I added "Actuary" today, in connection with August's awareness topic, cyberinsurance. Along with other terms relevant to cyberinsurance, it is picked out in red. In the definition, "data" and "risk" are underlined hyperlinks to their respective definitions ("risk" is pink because I've followed that hyperlink to check and update the definition, following today's exchange on the forums). 

Some of the definitions (such as that one for activist) are a little tongue-in-cheek because they amuse me, and hopefully those little nuggets of humor spur-on the intrepid reader who has the interest and the stomach to browse an information security glossary. Our aim in awareness is not just to educate or inform, but to entertain and engage - a delicate balance. 

The whole thing is now a little over 300 A4-pages, defining over 2,000 terms with over 80,000 words in total, and still growing by a page or two most months.  If you'd like a copy, we've published it as Kindle eBook on Amazon for less than $10 ... or you'll get it for free as an MS Word document with monthly updates by subscribing to NoticeBored.

Jul 22, 2017

NBlog July 22 - ISO27k for GDPR

Someone just reminded me that nearly a year ago I wrote a document mapping the EU General Data Protection Regulation requirements to an ISO27k Information Security Management System.

The idea is to demonstrate how the ISMS satisfies most of the GDPR requirements, within an overarching governance framework that has other benefits (since it covers more than just privacy).  

If you find yourself in a bit of a pickle right now, under pressure from management to "do GDPR, and quick!", the mapping document helps by laying out and explaining the requirements. Even if you don't have an ISO27k ISMS at present, and have no immediate intention of implementing one, the structure is well worth considering. Turn GDPR from a challenge into an opportunity!

The mapping was released as part of the free ISO27k Toolkit and is covered by a Creative Commons license, so feel free to share the links with your peers.


Jul 21, 2017

NBlog July 21 - Global Risk Management Survey

Yesterday I blogged about various information sources that keep me abreast of the field. 

Right on cue, here's an excellent example: a shiny nugget I found on the Web today, following my nose from a Google search through several other references and links.

Aon's latest Global Risk Management Survey reports on an online survey completed by business people from 1,843 organizations globally at the end of 2016. 

According to the 2017 report, the top 10 risks of most concern to management are:

  1. Damage to reputation/brand 
  2. Economic slowdown/slow recovery 
  3. Increasing competition 
  4. Regulatory/legislative changes
  5. Cyber crime/hacking/viruses/malicious codes 
  6. Failure to innovate/meet customer needs 
  7. Failure to attract or retain top talent 
  8. Business interruption 
  9. Political risk/uncertainties 
  10. Third party liability (inc. E&O)

I've highlighted #5 - cyber risks - because they are so obviously relevant to information security awareness.

Aparently, cyber risks were ranked #1 by respondents from the aviation, education and government sectors. Why might that be?
  • The aviation industry is extremely safety-conscious, so I guess they are concerned at the possibility of cyber incidents leading to injuries and deaths, for example through cyber-terrorism. On top of that, fly-by-wire planes are critically dependent on their on-board IT systems so system design flaws, bugs, configuration and operator (especially pilot!) errors can be lethal. The dreaded blue screen of death could be literal. 
  • Governments, meanwhile, must deal with sophisticated and well-resourced cyber-attacks by other nation states, while doing their best to protect critical national infrastructures and economies. They also need to address terrorists and criminals, as well as tax-evaders, fraudsters and so on. As they become increasingly computerized, governments are inevitably more exposed to cyber threats.
  • I don't really know why the education sector is so worried about cyber risk, except perhaps the fact that kids today are more cyber-savvy than all previous generations, including the teachers and administrators trying to educate them. Hmmm, not sure about that.  [Thoughts, anyone?]
I am surprised the finance industry is more worried about other risks, but then they have to deal with global economics, politics and regulation, so maybe cyber risks are just another challenge!
"Cyber threat has now joined a long roster of traditional causes—such as fire, flood and strikes—that can trigger business interruptions because cyber attacks cause electric outages, shut down assembly lines, block customers from placing orders, and break the equipment that companies rely on to run their businesses. This explains the dramatic rise in ranking, from number nine in 2016 to number five this year. For survey participants who are risk managers, they have voted it a number two risk, probably because cyber breaches are becoming more regulated, with many companies in the U.S. and Europe facing mandatory disclosure obligations. Similar requirements are being introduced in Europe and elsewhere. As a result, cyber concerns will continue to dominate the risk chart ... About 33 percent of surveyed companies are now purchasing cyber[insurance] coverage, up from 21 percent in the previous survey."

Jul 20, 2017

NBlog July 20 - navigating the World Wide Warren

A while back, this blog made it onto Feedspot's top 100 infosec blogs. Today, I finally got around to displaying our medal. Thanks Feedspot. I'm honored to be listed among such awesome company! 

A couple of times lately, I've been asked how I manage to keep up with the field for our security awareness and consultancy services. Good question! 

Blogs are an excellent source of information and inspiration. I track a bunch of blogs routinely through Blogger - roughly 40 on my reading list at the moment although some of those are in fact feeds aggregating or streaming an unknown number of individual blogs, and some relate to my hobbies and interests outside infosec. Yes, I have a life! The trick with blogs is to find and track the more creative bloggers who consistently generate good stuff, discarding those who only ever re-post other people's efforts, adding little if any value. [Yes, there are blogs in Feedspot's top-100 that I ought to be following: systematically checking them out and adding the best to my reading list is another task on my to-do list.]

I browse a few favourite magazine sites from time to time, such as The Register. Well-connected journalists come up with interesting stories. I most enjoy articles that take different angles and scratch below the surface, pulling together facts and opinions from various sources that I would otherwise have missed. [A decade or more ago, magazines and newspapers were also good for actual news, but these days social media outpace them most of the time.]

I enjoy well-written books and maintain a decent office library. In contrast to the other sources, most books go deep, requiring more effort and concentration ... but the reward is a deeper appreciation of a topic area, including conceptual frameworks.

Talking of gossip, I enjoy being part of various online discussion forums and professional/industry groups. Mostly it's a slog, though, with the vast majority of participants contributing nothing at all - it's just take take take for them. Aside from the few who actively post and discuss stuff, the rest somehow seem to suck the life out with their deafening silence. 

RISKS-LIST is a remarkable resource, thanks to the tireless efforts of its moderator since the dawn of time, as much as the contributors. I doubt there has been a single issue that didn't contain at least one item worth exploring further. 

Google+ occasionally puts me onto something new - well not so much Google+ itself as the extended family of friends and colleagues who post stuff there. Again, it's a shame more infosec pros aren't actively using Google+ routinely. Not quite enough to reach critical mass as yet, although I should put more effort into searching out more bright sparks. [My to-do list grew again.]

Linkedin is another occasional source, specifically a handful of infosec-related groups and postings by my connections. However, the deluge of marketing tripe is a serious problem - far too many 'social media marketing experts' putting the din in Linkedin. The abysmally low signal-to-noise ratio means a lot of wasted time, distractions and annoyances. I blame the apparent lack of moderation, coupled with a preponderance of vacuous advertisements spewing forth in the guise of news, like so many home-shopping channels on speed.

Personally I'm not into Twitter, Facebook and the like. I just don't have the time for such trivia.

Google rocks! The search engine is awesome, albeit a little annoying and inconsistent at times. The intense focus on whichever web pages make it to the top of the search results is a concern since there are bound to be more innovative nuggets buried further down the list. Perhaps Google ought to give us the option promote a few matching sites at random into the search results we see? Meanwhile, I make good use of the search options and syntax to dig out what's new. [Blogger is a Google service so this very blog would be off-the-air without Google.]

Lastly of course, there's the World Wide Web, without which we'd still be stuck in the Dark Ages. All those blogs, groups, journalistic pieces and search results are basically just pointers to the gold, not the gold itself. Original research papers, surveys and articles are how I really find out about infosec. Industry journals such as ISSA and ISACA's Journals often publish meaty, worthwhile, peer-reviewed content with traditional references to their sources ... leading me down deep dark rabbit warrens that I first learnt to navigate when doing my PhD way back in the 80's. 

So that's how I keep up with the state of the art. Almost anyone can do it: all it takes is about 12 hours of intense concentration per day, a lifetime's interest in scientific research ... and a million rabbits.

Jul 19, 2017

NBlog July 19 - drawing order from chaos

We're plugging steadily away on August's awareness module on cyberinsurance, with nothing much to report today ... but I will just mention the word cloud.

The clutter represents (figuratively) how cyberinsurance words appear to people who hear or read - but don't really understand - them. 

Words that are relatively commonplace or more relevant to the topic are emphasized in a larger font size to stand out from the remainder but other than that it's obviously a jumble. 

Helping people make sense of the topic is a general aim of awareness materials and programs of all kinds. We bring out structures and relationships within the topic area, and between this and other topics, forming a mesh or framework to aide understanding.

As well as being a useful illustration for the module, the word cloud reminds us to be clear as we prepare the materials, taking our varied audiences into account. The complexity varies both from topic-to-topic and within any one topic area: a signficant part of our job is to simplify and explain, ideally without just glossing over or ignoring those complexities. We can reasonably expect the more experienced professionals in our audience, for example, to be more willing to tackle and grasp the details than workers in general. They have different backgrounds and needs. Awareness programs that only provide superficial information offer little value, while expensive, in-depth training courses are only appropriate for specialists ... leaving a void in the middle ground that we are filling.

As well as the word clouds, the mind maps, diagrams, poster images and other graphics, plus the written or spoken words, build a picture that makes sense.

In short, we're drawing order from chaos.


Jul 18, 2017

NBlog July 18 - awareness + training = learning

"The Trouble if Security Awareness Training Is Mainly a Penalty" is a well-written piece by Dan Lohrmann on the Government Technology website, expanding on several points relating to personal motivation and corporate culture.

"I believe transforming the security culture still remains our greatest challenge as we head toward 2020. But how can we get to this elusive “culture of security” while balancing the cost, benefits and many other business priorities we face? As we think about people, processes and technology, what can we do to enable people and reduce risk over time?"

One of the concepts or approaches Dan discusses is 'just in time training', a buzzword which implies doing away with general awareness activities in favor of something more focused on the specific needs of individuals. I believe that is known as 'training' (!) which certainly has value ... but still I maintain that awareness and training are complementary approaches - neither the same thing (despite widespread use of the misleading term "awareness training"), nor alternatives. Both training and awareness are valuable.

Let me explain with a familiar example. 

Most of us learn to drive through training - normally intensive, one-on-one guidance by an experienced, competent and qualified driver trainer, someone who coaches and leads us through the process of acquiring the knowledge, skills and capabilities necessary to pass the driving test. 

Driver training is expensive in terms of the fees plus the time and focus required. You can't really learn to drive without giving it your full attention. In the early stages, the manual coordination required to get the vehicle moving in roughly the right direction, and to stop when required, is mentally challenging and physically tiring. Later on as our competence increases, we become more relaxed ... unless/until something unfamiliar happens (such as someone turning across our path) when the instructor's dual-controls come to the rescue! 

Training has a specific goal - passing the test - plus broader objectives such as safety. Learning the 'rules of the road' is a particular aim, covering relevant laws (such as staying within the speed limits) that are likely to affect the outcome of the driving test. 

Most of us learn about road safety through a more general, informal style of learning, closer to awareness. We may be explicitly taught specific skills such as crossing the road safely at marked crossings, but mostly we learn to be safe on the roads in a gradual, life-long experiential process - we experience and figure out how to deal with hazardous situations at first hand. Even if the speed limit is 50, we discover that rain, snow and ice materially affect changes of direction or speed, hence the safe speed may be much less than 50. Hazardous road junctions, kids playing and (other!) unrestrained animals may have been pointed out by our instructor, mentioned in official guidelines, even brought up by TV advertisements ... but facing actual incidents, for real, really brings the warnings home at a more emotional than intellectual level. We literally gaps and shake.

That describes a conventional approach, although of course there are variations - advanced driver training, for instance, and self-training. I doubt anyone would seriously suggest doing away with training or awareness: they complement and support each other.

Finally, if you're not already confused enough, in everyday language 'training' often refers to fitness training, specifically. People get physically fit by exercising. In a broader sense, exercises are an excellent way to learn things by going through the motions, practicing behaviors in a deliberate, conscious way in the hope they will become automatic even when we are in a panic. Fire evacuation, penetration tests, case studies and business continuity tests/rehearsals are all exercises: whether you think of them as training or awareness is moot. Either way, we know they work. They have their place. 

Gary (Gary@isect.com)

Jul 17, 2017

NBlog July 17 - cyberinsurance metrics

To illustrate the need for cyberinsurance, we'll be using commonplace IT incidents that are easy to explain in August's awareness materials, being familiar to or readily understood by the target audiences.

People who don't already know much about insurance may be surprised to learn that such incidents are not covered by traditional policies - at least not for certain, and not in full.  So that's something they will learn.  They will also learn that cyberinsurance is available, and (if properly specified) would cover those same incidents. Probably, and again not in full - another learning point.

So aside from simply learning stuff, what if anything are people supposed to do differently if August's security awareness effort is effective? To answer that requires us to figure out what behavioral changes might be expected to occur in the organization.

One way to think this through is to identify activities that should ideally start or increase, or should decrease or stop, such as:
  • Cyberinsurance-related awareness activities should of course increase, for example more visits to the intranet pages on this topic, awareness materials being downloaded, people attending seminars etc.;
  • Workers in general ought to be thinking and hopefully chatting about cyberinsurance:
    • It should feature on relevant agendas e.g. in information risk and security management meetings, and perhaps board or exec team meetings;
    • Managers and professionals should start thinking of cyberinsurance as a commercially viable way to treat cyber risks, for instance including it explicitly as an option to consider in related policies, pprocedures, guidelines and checklists;
    • Cyberinsurance terms should crop up more often in various internal communications (aside from the awareness materials, that is), such as emails, memos, reports and casual conversation;
  • Someone should start digging out and checking through the fine print of existing insurance policies, and if appropriate procuring, negotiating or renegotiating cyberinsurance cover;
    • There should be an increase in the associated procurement and insurance activities;
    • Studies, reviews and audits may be conducted in this area;
    • There will probably be demonstrable management decisions in this area e.g. approval to (re)negotiate cyberinsurance and spend money;
    • There may be budgetary impacts if cyberinsurance is increased and/or conventional insurance is pared-back; 
  • There should probably be a reduction in the level of residual information risk that is accepted by the organization, as other forms of risk treatment (not just cyberinsurance) increase;
  • People should stop naively thinking of insurance as a catch-all solution to all their cyber problems.
Anything that can be observed to change can be measured, hence our analysis is a basis for identifying possible information security metrics in this area. It supports the GQM approach through which one identifies business Goals, poses Questions arising, then comes up with Metrics that would help answer the questions and so fulfill the goals. 

Despite cyberinsurance being such an unusual and arguably esoteric topic, this amply demonstrates the nature and depth of analysis required to come up with valuable security metrics in general - all of which is fueled by effective security awareness. 


Jul 14, 2017

NBlog July 14 - the infosec pitch

A couple of days back I blogged about being more concise and focused in my writing. Today, with that in mind, I wrote the 'elevator pitch' on cyberinsurance. The whole point of the pitch is to get straight down to business so normally we manage to squeeze the key awareness message/s into about 150 words. 

This month's pitch is just over 100 words (700 characters) and I'm wondering how far we could squeeze it if we really tried. It is feasible to sum up, say, cyberinsurance in a single tweet?

Well, yes, I'm sure we could concoct a message of less than 141 characters ... but why? Are people honestly so snowed-under with information that they can only spare us a few brief seconds? 

Advertisers face the same issue, hence those lame tag lines we see/hear so often (in NZ anyway) tacked on the end of the ads - things like "The real thing" and "I'm lovin' it". They've reduced the message to the point that virtually all meaning is lost. They have become symbolic rather than literal. The primary purpose is not to express anything so much as to trigger brand recognition. I bet you know which products those tag lines are associated with, right? Ker-ching!

Advertising is different to security awareness, although we have a fair bit in common. We can't rely on monotonous, ad nauseam repetition of our awareness content - or can we? Actually, we can, but at a deeper level than commercials. Beneath the superficial layers, we are constantly circling around and refreshing core messages about information risk, security, privacy, governance, responsibility and so forth, important concepts and principles underpinning all that we do. In a sense, the rest is just fluff to fill the screen.

As to tweeting, Donald Trump is kindly conducting a live experiment for us right now. He's certainly getting plenty of coverage: his tweets generate a surprising number of column-inches, although a lot of the reporting and commentary seems distinctly cynical or sarcastic. Is it meaningful communication? I'm unconvinced.

Jul 13, 2017

NBlog July 13 - building on awareness foundations

Cyberinsurance is one way to treat some cyber risks. Which ones?

That disarmingly simple question has taken next month's management seminar down a couple of interesting avenues.  

The first concerns the nature of cyber risks that one might reasonably expect to fall within the remit of cyberinsurance. Most don't. Insurers are particular about the kinds of risks they accept, actively managing their own risks and businesses.

Second is the distinction between insurance customers' 'reasonable expectations' and the reality of how policy terms and conditions are actually interpreted by the insurance companies and industry, the legal profession including the courts, and the regulators. 

We can explain the first issue quite easily using the PIGs (Probability Impact Graphs) that we provide in the awareness materials most months. Thanks to repeated prior exposure, we don't need to explain the PIG graphic to the audience laboriously, from first principles: we can leap directly into discussing distinct areas or groups of risks on the PIG. In other words, we are building upon the foundations of information risk and security awareness laid down in previous months, making reasonable assumptions about the audience's knowledge and understanding of the underlying concepts and taking them up a level. 

That's cool! It applies very broadly, not just in this specific case. A security-aware workforce starts at or above the ground floor in knowledge terms, not down in some cold, dark, damp and smelly basement.


Jul 12, 2017

Mid-winter sale

It’s f-f-f-f-freezing down here in New Zealand, so we’re spreading a little warmth.  

If you're quick, your first year’s subscription to the NoticeBored security awareness service will be  US$1,200.  Yes, just 100 USD per month, regardless of the size of your organization for the very best security awareness content available.

We’ll even throw in the usual welcome gifts (the policy suite and Infosec 101 module) for free.  

This is a very special price, available to the first 50 new customers only ... so don’t delay, get in touch straight away.

To take advantage of this offer, simply mention “nuts off” in your inquiry.

If $100 is still too much for you, send us your sob story.  Persuade us that security awareness is not even worth $100 per month to you.  

Go ahead, make my day.  Seriously.