With a week to go until our self-imposed end-of-the-preceding-month regular-as-clockwork delivery deadline, the ransomware awareness module for March is coming along nicely.
The contents listing is gradually filling up with ticks as each item is drafted and completed, which means that stress levels in the office are elevated but under control at this point. The diagrams/mind maps, glossary and presentations are sources of inspiration and content for most of the remaining materials, allowing us to increase the pace of production at this point in the monthly cycle.
Today we completed four more deliverables:
(1) The case study is valuable for security awareness and training purposes because:
- It gets people thinking and talking animatedly about the topic, especially in a lively group with an inspirational facilitator;
- It is a good way to bring information security topics to life with relevant news, recent incidents, advisories, issues etc.;
- It is succinct;
- It is flexible to deliver e.g. a case study session can be run as a discrete, standalone event or incorporated into other awareness activities such as seminars and courses to break the tedium of lectures and increase audience participation; and
- It is an excellent opportunity to share, promote, consider and discuss good security practices in the organization's business context.
The style we have developed for the NoticeBored case studies is a two-pager: the first page outlines a scenario or situation in a brief paragraph, then poses three rhetorical questions designed to draw out the main learning points through individual reflection then group discussion. The second page offers 'model answers' - not a definitive or comprehensive set of responses, simply highlighting the key points in order to pump-prime the group discussion if it needs a boost, and to give participants something on paper to take away, recall the discussion and consider further at their leisure.
Sometimes a genuine incident can be used directly although this month's fictitious case study was merely inspired by a news report on a ransomware incident affecting a public transport service in San Francisco over the Thanksgiving weekend. Thanks to their effective recovery controls, the infection was eradicated and services soon returned to normal after a period of free rides. The case study explores the possibility of more disruptive and costly outcomes in that kind of situation.
(2) The board agenda is a simple and straightforward yet valuable part of every module - a device designed to get top management engaged with the month's awareness topic. The agenda poses two rhetorical questions with just a few brief sentences of explanation providing the context, and color-coded scoring scales for board members to consider and communicate their positions, leading to a lively discussion during the meeting. The questions are deliberately framed at a high level, normally with a business or organizational focus and phrased in strategic or governance terms. We don't anticipate senior managers getting involved in the details of information security controls or their management, but they do have an overall governance role, ensuring that information risks are being properly considered and duly treated in relation to other risks of concern. Their purview includes setting strategic direction, allocating corporate resources and prioritizating corporate activities.
(3) The wordsearch puzzle is a toy, a game to encourage people to search a grid for words and terms relating to ransomware and malware in general. It's a lighthearted challenge to increase one's vocabulary and have some fun (a rare commodity in this domain!).
We generate the puzzle from a list of malware- and ransomware-related words and phrases extracted from (4) the glosssary which is practically finished. It's surprising just how many terms-of-art we come up with every month: typically over 150 per topic, more than enough to fill the puzzle grid so we take the chance to trim out the least relevant/most obscure ones, although it would take a superhuman effort to find all of the remainder.
That's it for another day: more gaps to fill in the contents listing tomorrow. The floggings will continue until morale improves.