Welcome to the SecAware blog

I spy with my beady eye ...

28 Feb 2017

28 days of awareness: day 27

We're on the home straight now.  All the writing is done and dusted, proof-read and polished to a gleam. The poster images are winging their way to us through the Internet.

The website is being revised with an updated home and 'this month' pages describing the ransomwareness module.  We'll take the opportunity to quote Professor Angela Sasse, professor of human-centred technology and director of the UK Research Institute in the Science of Cyber Security at University College, University of London. Angela's comments at a European meeting resonated with me, in particular:
“In most organizations today, awareness training is just background noise. This stuff is being pushed at people but its going past them. They are not engaging with it and not changing as a result.”

Agreed, engaging the audience is crucial, Angela, but how?  Several engagement techniques are employed in the NoticeBored ransomware materials:
  • Rather than attempt to cover everything at once, we've focused on a specific topic: ransomware is a real and present danger, a genuine business concern right now
  • Next month's topic will be something different: even if ransomware is not exactly gripping, perhaps the next topic will be, or the next ...
  • We've found interesting angles to put across (e.g. using IoT things either as hostages or as platforms for further mischief), hoping to catch the eyes of our audiences 
  • The manner in which we express stuff reflects the distinct needs of different audiences e.g. the basics for a general audience vs. higher-level strategy, governance, policy and metrics for the management audience vs. more detailed and technical content for professionals
  • The materials address the key question "What's in it for me?" both at a personal level and as integral parts of both the corporation and of society at large
  • The variety and style of content supplied is designed to suit different learning preferences, for example some people prefer images and concepts, some prefer to read the written word, some like to be told or shown stuff, some like to chat about things, some just wanna have fun ... 
  • The volume of content varies also according to the audience e.g. busy senior managers typically prefer a more succinct and direct style, with the option to explore further if they choose to do so
  • We're encouraging people from all parts and levels within the organization to interact on this one topic, socializing information security
  • The content mixes factual, advisory and motivational stuff, giving people the knowledge and impetus to think and hopefully act more securely while avoiding the desperately lame "Do X" by laying out reasons and options
  • The awareness materials are polished and professional, of the highest quality, designed as a coherent and consistent set that complement each other both within each module and across successive modules (e.g. we will surely mention malware again this year, and we will be looking for opportunities to bring up ransomware and IoT as a reminder of the March module
'Engagement techniques' are a valuable part of the train-the-trainer guide in every module. Aside from the basics of the scope and purpose of the module, an outline of the content and how we envisage it being customized and used etc., we also provide a set of Hinson tips each month.  The intention is to help customers up their game in security awareness, giving them creative ideas to make their awareness activities and programs even more effective.  Here are a couple of tips from this module:
Drive up reporting of incidents, near-misses and concerns by making a concerted effort to thank or reward anyone who reports actual or suspected malware etc.  Word will soon spread!  Work closely with the Help Desk, IT and HR on this.  Be generous to those who followed the correct procedures and helped avert potentially serious incidents.  Weave reported issues into your awareness program, openly acknowledging those who reported them.

Aside from the ransomware metric described in the metrics paper this month, stark statistics about the prevalence of ransomware and malware can help put such matters on the agenda – within reason.  It’s easy to default to an excessively sensationalist style that portrays everything in information security as a massive problem whereas, in reality, controls are strong enough on the whole to keep things in check.  On the other hand, strong security may reduce the number and severity of incidents to the point that people (quite rightly!) start to question whether the organization is over-investing in this area and has become so risk-averse that the business is being unduly constrained.  Aim for a careful balance.  Surveys, infographics and other published statistics and commentaries can be used to reinforce the point that the threats are real and that other similar organizations are suffering costly and disruptive incidents, even if we are not.
OK, enough for now. I need to get on. The end of month deadline is starting to make that whooshing noise like an approaching steam train.


No comments:

Post a Comment