Welcome to NBlog, the NoticeBored blog

I may meander but I'm exploring, not lost

Aug 21, 2007

Awareness through incidents

Educational Security Incidents (ESI) is a blog comprising brief summaries of (mostly privacy related) security incidents culled from the news media. These are intended to be used for security awareness purposes: analysis and deconstruction of the incidents can indeed be used for case studies or just to pep-up other awareness materials.

There are of course zillions of similar sources on the Web, from the regular news media to assorted blogs, mailing lists (such as RISKS-List) and discussion fora (such as CISSPforum and Security Catalyst), plus books such as Dear Valued Customer, You Are A Loser and those by Ira Winkler and Kevin Mitnick.

Stories of security incidents from within the organization are even more powerful, although in highly political organizations they are quite likely to be suppressed by those involved. I know of at least one Internal Audit function that uses incidents in this way, regardless of the company politics: they produce an annual booklet describing chosen incidents, in each case outlining the background to the situations and the impacts, and usually they add some subsequent commentary about how the controls were (belatedly) changed for the better. The booklet becomes a control, governance, security and fraud education resource for management. Nice!