Welcome to NBlog, the NoticeBored blog

I may meander but I'm 'exploring', not lost

Aug 20, 2017

NBlog August 20 - FREE ISO27k audit guideline

Over the last few weeks, I've been busy with a virtual team of volunteers updating an ISMS audit guideline written prior to the 2011 release of the ISO/IEC standards 27007 (Guidelines for information security management systems auditingand 27008 (Guidelines for auditors on information security controls). One of our goals at the time was to contribute to the development of the standards.

Meantime, not only have those two standards been published, but ISO/IEC 27001 and 27002 have also been updated ... so there was a lot of updating to do.

Our guideline is aimed at internal auditors, specifically IT auditors tasked with auditing either:

  • the management system parts of an Information Security Management System; or
  • the information security controls being managed by the ISMS.

In ISO27k, the management system is a combined governance and management framework - a structured approach similar to those for managing quality assurance, environmental protection and more. Auditing it is fairly straightforward because 27001 is quite explicit about what it should be. The guideline goes beyond certification auditing, though. Even if the ISMS fulfills the requirements of the standard, it may not satisfy the organization's needs. 

Auditing the information security controls is another matter entirely. 27002 is not a simple catalog of controls (like, say, PCI DSS). Instead, organizations identify and assess their information risks, then decide how to treat them using whatever controls they feel are appropriate. Given the variety of organizations that The standard suggests literally hundreds of possible controls ... and acknowledges that it is not totally comprehensive. Auditing the controls is tough given their number and complexity, especially if management wants a reasonably detailed and comprehensive picture of the security status. 

The audit guideline ballooned to 100 pages at one stage before being viciously pruned to 'just' 50 - still a daunting prospect for a busy IT auditor. The suggestion is to use the guideline to develop a custom audit workplan or checklist that meets the parameters of the particular assignment - for instance, skimming through just the main points while ignoring the details for an overview, or going to town on a few areas of concern where the main risks and issues are thought to be.

Download just the ISMS audit guideline, or the entire ISO27k Toolkit.  Both are FREE! 

Aug 18, 2017

NBlog August 18 - security culture through awareness

That sums-up our approach to using security awareness as a mechanism to foster a 'culture of security'.  In the spirit of yesterday's blog, rather than wax lyrical, I'll let the diagram speak for itself.  'Nuff said.

Aug 17, 2017

NBlog August 17 - InfoSec 101 for management

Today I've revised the management seminar for Information Security 101. Given our deliberately wide brief, there's quite a lot to say even at the relatively superficial 101/introductory level, so we're using thought-provoking pictures (mind maps, process diagrams and conceptual imagery) in place of reams of text and tedious bullet points. The whole seminar works out at just 12 slides ... at least that's the management seminar slide deck we'll be providing to subscribers. They can adapt the content, perhaps incorporating extras or indeed cutting back on the supplied content - and that's fine by us.

In fact, more than that, we actively recommend it! 

Much as we would like to offer awareness materials tailored for each customer, we simply don't have the resources. For starters, we would need to spend time getting to know and then keeping abreast of each customer's specific circumstances and needs ... and being information security related, there are confidentiality implications in that. Instead, we prefer to invest in research and development of high-quality cutting-edge awareness content, delivering editable materials that our valued customers can customize as they wish.

Keeping up with the field is quite a challenge, a fun one for us. In the 3 years or so since the InfoSec 101 module was last revised, we've witnessed the rise of BYOD, ransomware and cybersecurity. Current issues include IoT security and, looking forward, GDPR is set to make big waves in privacy in less than a year's time.

Most months we encourage customers to check and update their induction and other training course materials, picking and choosing from each new batch of NB content as appropriate. On a more subtle level, we're gently hinting that they should be proactively maintaining and refreshing their awareness and training content as a whole because outdated material can literally be worse than useless. 

If you work for a mid- to large-sized fairly mature organization, chances are your security awareness content includes stuff that is no longer relevant and misses out on emerging issues, even if you have someone dedicated to running the awareness and training program. If you are in a small organization with very limited resources, or one that depends on course materials updated 'whenever, if-ever', is it any surprise if newcomers get the impression that information security is unimportant, not a priority?

By the way, "NoticeBored" sprang from the realisation that people are bored stiff of the same-old-same-old - those tired and dog-eared awareness posters that have been up for years, the briefings and policies water-damaged from their time on the Ark. Old news is not news. Last year's battles are over. Wake up and smell the coffee!  Get with the beat!

Aug 16, 2017

NBlog August 16 - NIST SP800-53 draft v5

public draft of NIST SP800-53 revision 5 is worth checking out.

Major changes in this draft:
  • "Making the security and privacy controls more outcome-based by changing the structure of the controls;
  • Fully integrating the privacy controls into the security control catalog creating a consolidated and unified set of controls for information systems and organizations, while providing summary and mapping tables for privacy-related controls;
  • Separating the control selection process from the actual controls, thus allowing the controls to be used by different communities of interest including systems engineers, software developers, enterprise architects; and mission/business owners;
  • Promoting integration with different risk management and cybersecurity approaches and lexicons, including the Cybersecurity Framework;
  • Clarifying the relationship between security and privacy to improve the selection of controls necessary to address the full scope of security and privacy risks; and
  • Incorporating new, state-of-the-practice controls based on threat intelligence and empirical attack data, including controls to strengthen cybersecurity and privacy governance and accountability."
Comments are invited by September 12th to NIST.

NIST’s evolving Cybersecurity Framework is also worth a look. Although it's a little too cyber-centric for my liking, it has application well beyond the critical US national infrastructure for which it is intended (e.g. organizations have their own 'critical infrastructures'). I suspect the Framework Core Structure (particularly the 5 functions corresponding to the timeline of an incident) may be one of several ways to 'tag' controls in the next release of ISO/IEC 27002:


Dr Gary Hinson PhD MBA CISSP
CEO of IsecT Ltd., New Zealand   
Passionate about information risk and
security awareness, standards and metrics

Aug 15, 2017

NBlog August 15 - work goes on

We've updated more stuff for the Infosec 101 module today:
  • 8 two-page case studies based on commonplace incidents; 
  • 13 one-page scam alerts on common scams (yes, 13); 
  • Generic job descriptions for an Information Security Awareness Manager, plus an Awareness Officer, and Awareness Contacts (part timers, distributed throughout the organization). 

Ticks are appearing and darkening on the contents listing at a reasonable rate.

Meanwhile, over on the ISO27k Forum, we've been discussing terminology and the pros and cons of various information security frameworks, and CISSP Forum has been yakkin' about quantum crypto key exchange and fake news.  

Oh and we've arranged for the tractor repair man to come over tomorrow to fix a broken valve and solenoid, and I popped down to the vet for antibiotics for 3 sick animals.

Quite a varied and productive day, all in all.

Aug 14, 2017

NBlog August 14 - why infosec?

Today I'm revising the InfoSec 101 presentation for general employees, starting with a brief introductory slide addressing questions along the lines of "What's the point of information security?" and "Why are you even telling me about it?".

It's not as easy as you might think to answer such fundamental questions, simply, for someone who may have no background or interest in the topic. So I went Googling for inspiration, and came across this neat list of infosec benefits from a company called Global Strategic:
  • Demonstrates a clear commitment to data security- including confidentiality and strict accessibility rules;
  • Provides procedures to manage risk;
  • Keeps confidential information secure;
  • Provides a significant competitive advantage;
  • Ensures a secure exchange of information;
  • Creates consistency in the delivery our services;
  • Allows for inter-operability between organizations or groups within an organization;
  • Builds a culture of security;
  • Protects the company, assets, shareholders, employees and clients;
  • Gives assurance that a third party provider takes your data security (and your business) as seriously as you do
Some of those are not terribly helpful for our awareness purposes. A benefit of information security is security or protection [of information], yes, but that's obvious from the phrase! It doesn't move us forward.

Risk management is definitely a core purpose of infosec. I'm not keen on the idea that infosec 'provides procedures' though. Infosec is an overall approach, rather than simply a set of procedures or processes. "Infosec lets us manage risks" is closer to the mark, I think, or maybe "We use infosec to manage information risks". Hmmm.

Competitive advantage is another good one, although I think I would prefer talk about 'enabling the business'. Whereas managers are presumably familiar with the concept of competitive advantage, I'm not sure about general employees. 'Enabling' is a fairly complex concept too, so "Infosec is good for business" would be an even better way to express it.

Re the notions of securely exchanging information and inter-operability: those seem quite narrow and specific to me - parts of infosec, for sure, but arguably too obscure for a relatively naive audience. They are technocentric, too, whereas we are keen to position infosec more broadly than just IT or cybersecurity. 

Consistency of service delivery reminds me of the CIA triad, an important point since most people naturally think infosec is just about secrecy. I'll have to figure out how to put that, if at all.

I like the point about infosec building 'a culture of security', although it is arguably too vague. We can express the notion as "The way we do things here".

Assurance is yet another important but fairly obscure concept. In plain language, 'trust' is simpler. Infosec is about building (generating and maintaining) trust, being able to trust the organization.

Aside from those points, what else might we say? Maybe something about safety? Compliance is another key driver, well worth mentioning I think.

I'll revise the PowerPoint slide and speaker notes accordingly, and will continue refining the messages as I continue researching and contemplating this topic. Meanwhile, there are about a dozen more slides to update in that presentation, and several more presentations to revise. It's easy for this perfectionist to get completely bogged-down! 

Aug 13, 2017

NBlog August 13 - updating

Another basic information security practice is updating e.g.:
  • Patch promptly (update software)
  • Lock-n-load (physical security)
  • Counter cons (social engineering)
  • Nuke nasties (update antivirus) 
  • Read rules (security policies)
Those short alliterative phrases are memory-joggers to catch people's imagination and remind them about the things they ought to be doing regularly.

Conspicuously missing from the list is changing passwords: once upon a time, it was generally accepted practice to force people to change their passwords every few weeks or months. I have never quite understood the rationale for this. It takes effort to think up and commit to memory yet another strong password, and there are security costs when people forget their passwords, so what's the benefit? I suppose it might frustrate someone who has been surreptitiously watching a colleague enter their password every day, trying to figure out what they are typing ... but really? Arguably it would reduce the success rate of repeated brute-force password guesses - that ought to be triggering alarms anyway. I just don't get it and nor, now, does NIST:

"Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator."
That comes from NIST Special Publication 800-63B - Digital Identity Guidelines: Authentication and Lifecycle Management, published in June and recently picked up by the security press.

The list of things to include in the InfoSec 101 awareness module is becoming clearer by the day.

Aug 12, 2017

NBlog August 12 - passwords, again

A survey of password security on 48 popular websites [by a company selling a password vault system] 'reveals' that several don't enforce password parameters [that pretty much any password vault system would fulfill]. It also reveals an issue for online organizations whose users may or may not use password vaults.

With a click or two, users with password vaults can easily generate and regurgitate very long, complex, unique passwords, no problem. Sensible vault users don't particularly care what password parameters websites define, just so long as the sites don't unduly constrain their choice of long, complex, unique passwords. From my perspective, sites that prevent me choosing passwords longer than, say, 16 characters, or passwords with spaces, punctuation and other "special" characters, are intensely annoying, and also very revealing: such organizations are evidently not clued-up on user authentication. They are inadvertently whispering "Hack us!".

On the other hand, non-vault users need their passwords to be easy enough both to generate and remember. Often that means short, simple passwords, typically the same or similar across multiple sites. They - the users - are the limiting factor. 

Websites that let users set weak passwords are asking for trouble in terms of low-assurance user authentication. 

On the other hand, websites that demand strong passwords are also asking for trouble from users who can't be bothered, or can't remember their passwords, or write them down, or ... whatever.

The managers behind them are therefore stuck between a rock and a hard place.

Some try to deal with this issue by displaying 'password-strength-o-meters', those bars that head from red through orange to green as passwords grow stronger - at least, we presume so. Since there is no universal standard for password strength-o-meters, we can only guess at what they are indicating ... in just the same way that the 'researchers' who produced the 'survey' arbitrarily chose 5 parameters to 'research'.

There might be a better way to deal with this, namely a kind of captcha or automated test to determine whether the person behind the screen has the benefit of a password vault, or not. If so, let the vault take the strain. If not, the users need all the help they can get. A password complexity metric is one approach since people are so much worse (and slower!) at generating long, complex passwords than machines.

Aug 11, 2017

NBlog August 11 - password awareness

Passwords qualify as a basic cybersecurity control, so what should we be saying about passwords? Two key messages, for sure:
  1. Choose strong yet memorable passwords: easier said than done given the number of systems we are using these days. Longer pass phrases are better, and we have some useful tips on those. 

  2. Keep passwords secret. Aside from the obvious 'don't disclose or share your passwords with anyone', phishing is definitely a concern in this area ... but it's tricky to explain succinctly.

We'd like to recommend password managers or vaults - and we may do so, in the hope that our customers either supply a 'company sanctioned' one, or permit/encourage their people to use them: that's something to bring up in the management awareness stream, along with accountability.

We could also discuss bad passwords, password cracking/brute force attacks, poorly thought-out system designs that unduly limit password choice, hashing and salting and other controls to protect passwords in storage and when being communicated, and user authentication ... but probably not in the InfoSec 101 module, at least not in the general employee awareness stream.  Maybe we will touch on those for the professionals' stream.

I think that's enough for now. Things may evolve when we write or revise the content, especially as this is just part of the topic area. Phishing, for instance, may lead us into other areas.

Aug 9, 2017

NBlog August 9 - back to basics

September's NoticeBored awareness content will take a back-to-basics look at information risk and security, with an update to the Infosec 101 module.

So what are the basics?

We probably ought to, at some point, introduce the fundamental concepts, principles and approaches such as: 
  • Risk and control, both in general and in the context of information;
  • Governance, management and compliance;
  • The process of identifying, assessing and treating information risks;
  • CIA (confidentiality, integrity and availability) requirements; and 
  • Various types or categories of security control (e.g. preventive, technical).
Then there are basic security controls, such as:
  • Access controls;
  • Assurance and trust;
  • Backups, resilience and business continuity;
  • Firewalls and network security;
  • Malware controls;
  • Monitoring and oversight;
  • Passwords, identification and authentication;
  • Patching and system security;
  • Policies and compliance;
  • Physical security; and
  • Awareness (naturally).
Hey, the module is almost writing itself! Pepper the materials with a bunch of everyday examples of information security incidents, breaches and compromises and Bob's your uncle! 

Errrr, in case you missed it, I'm being cynical. For a start explaining all that lot above would certainly take a while. Scratch beneath the surface and it gets quite complex and drags on ... which would be a problem in, say, a short employee induction or security orientation session. 

There's a risk of losing or boring the audience ... and that's another thing: 'the audence' is not a homogeneous blob. NoticeBored's three parallel streams of awareness content cater for staff in general, managers and professionals/specialists, but those are fairly crude distinctions.

Yet another factor is the organizational context. Our military or governmental clients are in a markedly different situation to, say, those in IT services, finance, healthcare, education, retail or charity. Within each of those industry sectors, some clients are more mature than others. In some organizations, the infosec awareness people would be grateful for awareness opportunities lasting literally just a few minutes. In those with a strong security culture, a few hours on this topic may be feasible.

All in all, it's far from simple to even specify, let alone create, back-to-basics security awareness content. There's clearly a distinct risk of complexity creeping in.

One solution might be to cut back savagely on the more advanced aspects - for instance, "passwords, identification and authentication" could become just "passwords". That would work for the staff stream for some clients, but not all. Dropping I&A makes me uncomfortable as an infosec pro. The same concern applies in, say, "access control". 

Another option would be to focus on the fundamental concepts and axioms that underpin information risk and security management, ignoring the actual controls altogether: conceptual theories might suit the professional stream but would fly way over the heads of most workers. I can picture the eyelids drooping as I complete this sentence!

So, that's where we are today. As always, I'll be updating the blog most days as the work proceeds. It will be interesting (for me at least!) to see how we surmount the challenge. Do tag along for the ride.

[By the way, the comments are open. How would you tackle this? I'd love to hear from you. Bright ideas are very welcome. Email me if you are shy.]

Aug 8, 2017

NBlog August 8 - mid-Winter sale ends soon

Spring is definitely well on the way here in New Zealand ... which means NoticeBored's mid-Winter sale will be ending very soon.  

If you've been toying with the idea of launching or pimping-up your security awareness program, catch this unrepeatable deal: a whole year's awareness content for just US$100 per month.

Hurry hurry!   Email me for details.

Aug 6, 2017

NBlog August 6 - keep calm and carry on

Sorry for the long pause. It has been a busy week here, mostly out of the office doing things around the place - pumping water, stacking fence battens, shifting and chopping firewood, that sort of thing. Recharging my batteries really, prior to starting work on the next month's security awareness stuff.  Oh and investing in a shiny new tooth.

This weekend I'm updating an ISMS audit guideline to reflect the current ISO/IEC 27001 and 27002 standards and others in the ISO27k series, plus good practices in general. With the help of some experienced auditors from the ISO27k Forum, the guideline has expanded to ~80 pages with detailed yet pragmatic checklists for auditing both the management system elements of an ISMS, and the information risks and security controls managed by it.

Jul 31, 2017

NBlog July 31 - August's cyberinsurance awareness module released

A few hours ahead of schedule, we've just sent customers August's package of security awareness materials covering cyberinsurance - a new field, a novel awareness subject, and the 62nd topic in our bulging portfolio.

Cyber risk is an increasingly significant concern to organizations that are critically reliant on IT systems, networks and data ... and can you think of any that are not critically reliant?  Aside from the direct, immediate impacts (losses and costs) and effects on business systems, networks and data, cyber incidents may have devastating business consequences if supply chains, perhaps even whole industries and nations are affected. The risk extends throughout and beyond the corporation.

Arguably the most effective way to reduce cyber risk is to avoid risky business activities altogether … but naturally that means forgoing the business benefits of those activities.  It's not even possible in some cases.

The next best option is to mitigate or reduce cyber risks using cybersecurity controls. These can be complex, costly and imperfect, but at least the activities can take place. Security professionals naturally favor this option: it's their home turf ... but it's not the only way.

Sharing or transferring risk to third parties (such as insurers and business partners) is the subject of August’s materials ... and I'll have more to say about that during the month ahead.

Finally we have the option to accept cyber risks that have not been treated (eliminated or reduced) in other ways – actually, ‘option’ is a bit misleading since some cyber risks have to be accepted, regardless: there is no choice. Risk acceptance is the default, leaving us exposed to the possibility of cyber incidents and the consequences thereof.

In short, cyberinsurance reduces the amount of cyber risk we have to accept.

The NoticeBored module delivers 60 Mb of cyberinsurance awareness materials:

If you're quick you can get all of that for just $100 through our mid-Winter sale: a whole year's awareness content will set you back $1200, but you'll have to hurry. Once Spring is sprung, we'll revert to our normal pricing. And look what turned up this morning ...

Jul 30, 2017

NBlog July 30 - lambs, more lambs

Despite the looming end-of-month deadline, we managed a few hours off this weekend to visit friends across the bay, passing this little threesome en route, the proud mum with her newborn daughter and son enjoying a bright and sunny but bitterly cold NZ day, so cold in fact that our water pipe froze this morning. 

Think of us as you Northerners head-off to the beach for your summer vacations. We're fine, really, we're OK.  We have thick woolly coats.

The cyberinsurance awareness module is virtually finished, with just the proofreading and any final corrections left. I'll package and publish it for customers tomorrow, updating the NoticeBored website and this blog with information about the new materials - more than 30 items and 60 Mb of brand new awareness content, on a cutting-edge security awareness topic. 

We'll be drawing our mid-Winter sale to a close at the same time, so if you've been thinking about 'doing' awareness, your big chance to take out a NoticeBored subscription at an unbeatable price is almost up.  

Jul 29, 2017

NBlog July 29 - Spring is in the air

As we head inexorably towards Spring, it's peak lambing season down here in New Zealand.  

We have three woolly bundles huddled down in the paddock already, their little knees knocking whenever a cold Southerly blows in from the Antarctic.  

The remaining heavily-pregnant ewes have been doing their breathing exercises for weeks, waddling laboriously around and complaining about their backs. Their bags are packed, the route to the birthing suite laid out and well-practiced.

Meanwhile the rams can't settle, frequently checking their mobiles for The Call. Having missed prenatal classes, they are somewhat perplexed at the activity and noise just the other side of the fence ...

Jul 28, 2017

NBlog July 28 - Hinson tips for risk workshops

A qualitative Risk Analysis typically involves holding one or more ‘RA workshops’, bringing together a bunch of experts in risk (including but ideally not just information risk), information security, compliance, IT, internal audit and the business (concerned managers, business continuity people) etc. with a competent facilitator (again, ideally someone outgoing with a background in information risk, possibly just a brilliant facilitator with an interest in making it happen and a successful record!) to organize and lead the session/s.  

Here are my hints on organizing and running RA workshop session/s (based on my personal experience and prejudices: your approach will vary!):

  1. Do some preparatory work before even booking or inviting people to the first event – in particular, consider the purpose. What do you expect the organization to get out of it? Why should people invest their valuable time by participating? Find out how other kinds of risks are analyzed/assessed normally, and how workshops are typically run. Speak to supportive senior managers to get them on-board with this – their support, and ideally their participation, will be invaluable. Start talking to other potential participants to sound them out, informally, and hopefully get them engaged/interested if not actually committed to participate (note: ‘participate’ not ‘attend’!). Once word gets around and others start to enquire about joining in, it’s time to press ahead to phase 2 …

  2. Based on the availability of key people, decide on the (first) session date, book a suitable meeting room or videoconference facilities, and send out invitations with a clear description of the purpose. Ideally send out background info too, such as  an outline of relevant information risks already identified and managed, plus items for discussion such as further info risks that perhaps ought to be assessed and treated too (e.g. based on recent incidents, within the organization or elsewhere). Perhaps give people some homework to do before the session – at least a few issues to consider and hopefully get them in the right frame of mind for a productive session. Work closely with the facilitator (if not you) and other key players. Think about how the session/s will be run – perhaps even rough-out the agenda.

  3. Keep promoting the event/s. [It may be possible to complete the whole thing in one session, but I suggest leaving open the possibility of further sessions, follow-ups, focus groups or whatever might be needed to explore some aspects in more depth, or simply to complete a wide-ranging analysis. It may be hard to convince people to commit to a lengthy and laborious process, so be sure to clarify the benefits: explain why this is a worthwhile and necessary investment of everyone’s time! The payoff includes awareness, understanding, collaboration, decisions, agreement, authority to proceed etc. …]. Spend time contacting and meeting people, explaining what is going on, reiterating the purpose, and generally lining things up. Send out reminders a week or so before the event. Via or in conjunction with those supportive senior managers, apply thumbscrews to any key people who are still reluctant to participate. As a last resort, persuade them to attend key parts of the session (beginning, middle or end – wherever they will gain and provide most value).

  4. Meanwhile, get things ready for the event itself. You’ll probably need whiteboards, for instance, but what else? How will the session pan out? What’s the agenda and timescale? How will things be recorded, and by whom? What outputs are to be generated? What inputs/info might be needed, or should be accessible? Order coffee and donuts! 

  5. Think about the team dynamics and personalities of those who will participate. Are there shy people who need to be supported to open up?  How? Are there assertive ones who may need to be gently restrained? How? Are there bones of contention, hot buttons to be pushed, parked or avoided? Who are the diplomats, the most powerful, well-connected and well-respected people present who can help keep things running smoothly and on-track? 

  6. There are lots of ways to run the session: my personal favourite involves first setting the background and explicitly agreeing the objectives, then getting people to write down their initial thoughts/ideas on Post-It notes (one per note), then inviting them one at a time to stick their notes on the whiteboard (ideally in related groups) while explaining briefly what concerns them. Don't dominate, facilitate! Let the discussion evolve and continue naturally from there, with gentle guidance as needed … gradually bringing things together by focusing on building, say, a PIG (Probability Impact Graph) or risk spectrum diagram or risk matrix or whatever – something, anyway, that brings sense and order to the thoughts and discussion, drawing out important themes, concerns or issues. Gradually firm up the group’s view of the information risks, relative to each other and perhaps relative to other risks to the organization. Check that you are on-track and meeting the objectives. Put extra effort into discussing and clarifying the main risks, and any issues, concerns or matters still unclear. Pick out and record any show-stopping/surprising comments, agreements, disagreements or decisions for extra emphasis. End by thinking forward to next steps: is more analysis needed e.g. another meeting? Are there already actions arising that need to be initiated and progressed? Who needs to do what, how and by when?Who else needs to be involved or agree to that? End by checking that you’ve met the objectives, sum-up what you’ve achieved, outline what happens next, and of course thank everyone for their active participation.

  7. Follow-up. At the very least, tidy up the records and outputs of the session and circulate them to participants and other interested parties (possibly a brief overview for everyone – it’s a security awareness opportunity after all!). Get going on those actions arising e.g. update your risk register, Risk Treatment Plan, budget proposals etc. Make notes on how to make these activities even better next time.
There are websites, books and probably training courses in this area if you need even more guidance, as well as standards and methods for risk analysis and management as a whole. I’ve learnt how to do it by participating in and organizing these and other similar sessions, and by trying stuff out over several decades. It’s exhausting but can be fun and very rewarding when it goes well. An effective group is greater than the sum of its parts.


If risk workshops don't appeal, another approach is to do the initial risk analysis yourself (perhaps with your team or someone from Risk) on the basis of your knowledge, experience, expertise and biases (!), producing a ‘straw man’ that you can then discuss with individuals or small groups, modifying it as you go according to those discussions and further information that comes to light, including incidents and near-misses plus ongoing risk treatments. Work your way systematically up to and then around the management team, plus assorted info-risk-related experts. Every time you discuss it with a new person, add them to the distribution list for periodic updates including notes about recent changes made, to keep them informed as the picture evolves. It becomes a kind of live status report on the organization’s information risks – a metric in fact - that focuses attention on the risks identified, prioritized or ranked according to the consensus opinions of their relative probabilities and severities (or whatever parameters you use). Take the opportunity to mention information security initiatives and challenges, emphasizing how your work relates to risks of concern to the business.

Although the process (however you do it) is clearly subjective, I believe it would be a huge improvement for many organizations that either don’t do this kind of thing all, or leave it entirely to someone buried away in the deep dark depths of IT or Risk. Stronger interaction or engagement between “information security” and “the business” is invaluable in gaining and retaining widespread support for an ISO27k ISMS, when the time is right.

PS  Chris Hall suggested that it might be worth running workshops with different groups of attendees, giving them the chance to explore their areas of concern more freely perhaps than in a mixed audience:
"You might need to hold a few workshops with different groups of attendees from different business areas. For example, it would not normally be a good idea to hold a risk workshop with both IT techies and some business function people."

Jul 27, 2017

NBlog July 26 - terms of art

The day before yesterday I mentioned that we've been discussing terminology and definitions on a couple of professional forums. In exploring the first few terms of art, we've begun peeling back the layers to reveal more complexity beneath. Almost immediately, we realized the need to define some of the terms we were using in the initial definitions - the very reason that our glossary is sprinkled with hyperlinks.

Discussing the core term, "risk", we've danced around various ways to express some combination of probability or frequency of occurrence and projected severity or magnitude of impact, losses and other adverse consequences.  

"Information risk", then, relates to incidents involving or affecting information, hence "information security" involves measures to reduce or limit the number and/or the severity of incidents involving or affecting information ... which is markedly different to the common definition along the lines of 'protecting the confidentiality, integrity and availability of information' - although I guess the two could be combined, if necessary.

Aside from those particular points, the discussion has set people thinking and talking: as an awareness-raising technique, it has worked, to some extent anyway. As is normal for virtually all awareness activities, a small proportion of the audience has actively engaged and responded: the vast majority have remained silent. Whether they are watching with interest, on the point of speaking up, livid with rage and so unable to express themselves coherently, or simply tuned-out and away-with-the-fairies we don't know - probably some mix of those, and perhaps other attitudes.

That thought suggests another possible awareness metric - a survey of opinions among the intended audience of a corporate infosec awareness program about the program, their engagement with it, interest in it, perhaps exploring the reasons why they feel the way they do. Provided the survey was carefully designed and competently executed on a reasonable sample of the population, it should generate useful, actionable insight with, probably, a few focal points in need of improvement. Aside from any weaknesses, it might also confirm the program's strengths (e.g. if people are happily enjoying, absorbing and learning from the information provided without the need to get actively involved, that would not be a bad outcome - a basis on which to build at least).

Jul 25, 2017

NBlog July 25 - glossary as an awareness tool

By coincidence, two of the professional groups/discussion forums I frequent have both been discussing terminology today.

It takes a particular personality type to enjoy discussing terminology, in depth. It requires both tight focus and a broad appreciation of the field. It helps to be well-read, since terms and concepts generally emerge from study or research that may be obscure. It helps also to be open-minded, since terminology is one of those things that fires-up experienced and knowledgeable colleagues: the passion is almost palpable! I'm not at all worried about being "put straight" by respected gray-beards - we all give as good as we get, part of the cut-n-thrust of professional discussion.

Some might consider us anally-retentive. 

On the other hand, the information content of language is critically dependent on the meanings, interpretations and implications of the words we use. In relatively new and complex areas such as information security, misunderstandings and confusion stemming from limited or inappropriate vocabulary can be inconsequential, mildly annoying or problematic, depending on the context. On top of that, language evolves naturally as a consequence of how it is used in social intercourse. There is plenty of wiggle-room. 

Anyway, today we've been discussing the meaning of about a dozen core terms of art in the field of information risk and security. Although I don't intend to expand on the definitions and discussion here, it's a chance to raise a more general point about awareness and training.

Explaining terminology is an important part of any decent awareness program or training course. It helps set the scene for both the audience and the authors/presenters/trainers. It differentiates relatively superficial from more in-depth approaches - the former gloss over the details anyway.

We maintain an extensive information security glossary, updating and re-issuing it every month in the course of developing each batch of awareness content. Any specialist terms used in the definitions are hyperlinked to their own definitions, making it interesting (fun even!) to follow one's nose from term to term, hopefully discovering and learning new stuff along the way. It reminds me of the joys of browsing dictionaries, encyclopedias and most of all Roger's Thesaurus when I was young (yes, a long, long time ago, pre-Google, when we thumbed through reference books made of a substance known as paper).

At the same time, I'm not a professional lexicographer. The glossary is a valuable working tool, not a formal academic treatise. We quote numerous "official" definitions from various "official" sources such as ISO/IEC 27000, but in most cases we add our own pragmatic definitions - particularly when the formal ones are too obscure, narrow or plain misleading for our purposes.

Here's a tiny extract to demonstrate its style:

I added "Actuary" today, in connection with August's awareness topic, cyberinsurance. Along with other terms relevant to cyberinsurance, it is picked out in red. In the definition, "data" and "risk" are underlined hyperlinks to their respective definitions ("risk" is pink because I've followed that hyperlink to check and update the definition, following today's exchange on the forums). 

Some of the definitions (such as that one for activist) are a little tongue-in-cheek because they amuse me, and hopefully those little nuggets of humor spur-on the intrepid reader who has the interest and the stomach to browse an information security glossary. Our aim in awareness is not just to educate or inform, but to entertain and engage - a delicate balance. 

The whole thing is now a little over 300 A4-pages, defining over 2,000 terms with over 80,000 words in total, growing a further page or two most months.  If you'd like a copy, we've published it as Kindle eBook on Amazon for less than $10 ... or you'll get it for free as an MS Word document with monthly updates by subscribing to NoticeBored.

Jul 22, 2017

NBlog July 22 - ISO27k for GDPR

Someone just reminded me that nearly a year ago I wrote a document mapping the EU General Data Protection Regulation requirements to an ISO27k Information Security Management System.

The idea is to demonstrate how the ISMS satisfies most of the GDPR requirements, within an overarching governance framework that has other benefits (since it covers more than just privacy).  

If you find yourself in a bit of a pickle right now, under pressure from management to "do GDPR, and quick!", the mapping document helps by laying out and explaining the requirements. Even if you don't have an ISO27k ISMS at present, and have no immediate intention of implementing one, the structure is well worth considering. Turn GDPR from a challenge into an opportunity!

The mapping was released as part of the free ISO27k Toolkit and is covered by a Creative Commons license, so feel free to share the links with your peers.


Jul 21, 2017

NBlog July 21 - Global Risk Management Survey

Yesterday I blogged about various information sources that keep me abreast of the field. 

Right on cue, here's an excellent example: a shiny nugget I found on the Web today, following my nose from a Google search through several other references and links.

Aon's latest Global Risk Management Survey reports on an online survey completed by business people from 1,843 organizations globally at the end of 2016. 

According to the 2017 report, the top 10 risks of most concern to management are:

  1. Damage to reputation/brand 
  2. Economic slowdown/slow recovery 
  3. Increasing competition 
  4. Regulatory/legislative changes
  5. Cyber crime/hacking/viruses/malicious codes 
  6. Failure to innovate/meet customer needs 
  7. Failure to attract or retain top talent 
  8. Business interruption 
  9. Political risk/uncertainties 
  10. Third party liability (inc. E&O)

I've highlighted #5 - cyber risks - because they are so obviously relevant to information security awareness.

Aparently, cyber risks were ranked #1 by respondents from the aviation, education and government sectors. Why might that be?
  • The aviation industry is extremely safety-conscious, so I guess they are concerned at the possibility of cyber incidents leading to injuries and deaths, for example through cyber-terrorism. On top of that, fly-by-wire planes are critically dependent on their on-board IT systems so system design flaws, bugs, configuration and operator (especially pilot!) errors can be lethal. The dreaded blue screen of death could be literal. 
  • Governments, meanwhile, must deal with sophisticated and well-resourced cyber-attacks by other nation states, while doing their best to protect critical national infrastructures and economies. They also need to address terrorists and criminals, as well as tax-evaders, fraudsters and so on. As they become increasingly computerized, governments are inevitably more exposed to cyber threats.
  • I don't really know why the education sector is so worried about cyber risk, except perhaps the fact that kids today are more cyber-savvy than all previous generations, including the teachers and administrators trying to educate them. Hmmm, not sure about that.  [Thoughts, anyone?]
I am surprised the finance industry is more worried about other risks, but then they have to deal with global economics, politics and regulation, so maybe cyber risks are just another challenge!
"Cyber threat has now joined a long roster of traditional causes—such as fire, flood and strikes—that can trigger business interruptions because cyber attacks cause electric outages, shut down assembly lines, block customers from placing orders, and break the equipment that companies rely on to run their businesses. This explains the dramatic rise in ranking, from number nine in 2016 to number five this year. For survey participants who are risk managers, they have voted it a number two risk, probably because cyber breaches are becoming more regulated, with many companies in the U.S. and Europe facing mandatory disclosure obligations. Similar requirements are being introduced in Europe and elsewhere. As a result, cyber concerns will continue to dominate the risk chart ... About 33 percent of surveyed companies are now purchasing cyber[insurance] coverage, up from 21 percent in the previous survey."

Jul 20, 2017

NBlog July 20 - navigating the World Wide Warren

A while back, this blog made it onto Feedspot's top 100 infosec blogs. Today, I finally got around to displaying our medal. Thanks Feedspot. I'm honored to be listed among such awesome company! 

A couple of times lately, I've been asked how I manage to keep up with the field for our security awareness and consultancy services. Good question! 

Blogs are an excellent source of information and inspiration. I track a bunch of blogs routinely through Blogger - roughly 40 on my reading list at the moment although some of those are in fact feeds aggregating or streaming an unknown number of individual blogs, and some relate to my hobbies and interests outside infosec. Yes, I have a life! The trick with blogs is to find and track the more creative bloggers who consistently generate good stuff, discarding those who only ever re-post other people's efforts, adding little if any value. [Yes, there are blogs in Feedspot's top-100 that I ought to be following: systematically checking them out and adding the best to my reading list is another task on my to-do list.]

I browse a few favourite magazine sites from time to time, such as The Register. Well-connected journalists come up with interesting stories. I most enjoy articles that take different angles and scratch below the surface, pulling together facts and opinions from various sources that I would otherwise have missed. [A decade or more ago, magazines and newspapers were also good for actual news, but these days social media outpace them most of the time.]

I enjoy well-written books and maintain a decent office library. In contrast to the other sources, most books go deep, requiring more effort and concentration ... but the reward is a deeper appreciation of a topic area, including conceptual frameworks.

Talking of gossip, I enjoy being part of various online discussion forums and professional/industry groups. Mostly it's a slog, though, with the vast majority of participants contributing nothing at all - it's just take take take for them. Aside from the few who actively post and discuss stuff, the rest somehow seem to suck the life out with their deafening silence. 

RISKS-LIST is a remarkable resource, thanks to the tireless efforts of its moderator since the dawn of time, as much as the contributors. I doubt there has been a single issue that didn't contain at least one item worth exploring further. 

Google+ occasionally puts me onto something new - well not so much Google+ itself as the extended family of friends and colleagues who post stuff there. Again, it's a shame more infosec pros aren't actively using Google+ routinely. Not quite enough to reach critical mass as yet, although I should put more effort into searching out more bright sparks. [My to-do list grew again.]

Linkedin is another occasional source, specifically a handful of infosec-related groups and postings by my connections. However, the deluge of marketing tripe is a serious problem - far too many 'social media marketing experts' putting the din in Linkedin. The abysmally low signal-to-noise ratio means a lot of wasted time, distractions and annoyances. I blame the apparent lack of moderation, coupled with a preponderance of vacuous advertisements spewing forth in the guise of news, like so many home-shopping channels on speed.

Personally I'm not into Twitter, Facebook and the like. I just don't have the time for such trivia.

Google rocks! The search engine is awesome, albeit a little annoying and inconsistent at times. The intense focus on whichever web pages make it to the top of the search results is a concern since there are bound to be more innovative nuggets buried further down the list. Perhaps Google ought to give us the option promote a few matching sites at random into the search results we see? Meanwhile, I make good use of the search options and syntax to dig out what's new. [Blogger is a Google service so this very blog would be off-the-air without Google.]

Lastly of course, there's the World Wide Web, without which we'd still be stuck in the Dark Ages. All those blogs, groups, journalistic pieces and search results are basically just pointers to the gold, not the gold itself. Original research papers, surveys and articles are how I really find out about infosec. Industry journals such as ISSA and ISACA's Journals often publish meaty, worthwhile, peer-reviewed content with traditional references to their sources ... leading me down deep dark rabbit warrens that I first learnt to navigate when doing my PhD way back in the 80's. 

So that's how I keep up with the state of the art. Almost anyone can do it: all it takes is about 12 hours of intense concentration per day, a lifetime's interest in scientific research ... and a million rabbits.