Welcome to the SecAware blog

I spy with my beady eye ...

4 Mar 2017

NBlog March 3

What does this remarkable paragraph, taken from a marketing email on "developing a policy management strategy", tell you about the writer's appreciation of his audience?
"Policies and training programs that are managed as dissociated documents, data, systems, and processes leave the organization with fragments of truth that fail to see the big picture of policy and training across the enterprise and how it supports the organization’s governance, risk management, and compliance (GRC) responsibilities. The organization needs to have holistic visibility and situational awareness into policy and training across the enterprise. Complexity of business and intricacy and interconnectedness of policies and obligations requires that the organization implement a policy and training management strategy."
Words fail me.

Keeping things readable and understandable is certainly challenging in this line of business. Partly that's a result of the specialist terms we use (often without explanation and sometimes - such as 'cyber' - without a clear and specific meaning!), while a deeper issue is the complexity and obscurity of the fundamental concepts. Information security is hardly unique in that, though, so how do other fields cope?

Four common approaches are:
  1. Dumb-it-down and lighten-it-up when describing difficult stuff to the general public. We see this a lot on TV and other broadcast media including news, documentaries and factual channels. The long-running BBC series Tomorrow's World was an important part of my youth, along with other 'popular science' programs, most of which were actually about technology innovation rather than what I call true science, as in primary research. The presenters of these programs tread a fine line between patronising and informing their audience: they deliberately and consciously gloss-over almost all the details but give just enough information and insight to both intrigue and entertain. There's an art to finding stories that will work in that medium, and finding ways to express them, preferably in bite-sized chunks involving striking visual or graphical images and novel concepts, with 'show me' demonstrations. As you watch this Tomorrow's World piece from 1979 about an experimental portable phone, think about the way the technology is demonstrated and described.
  2. Leave it to the experts, also known as "Trust me, I'm a doctor". Hardly anybody outside the medical profession would expect to know, in detail, how the human endocrine system works. Few would even understand 'endocrine' or, for that matter, 'system'. So long as the doc has been through the requisite training and reached the required standard of excellence by passing the exams and gaining sufficient real-world experience, our trust in his/her capabilities means we don't want to be told everything, just the edited highlights. Same thing with car mechanics and arborists ('tree surgeons'). We rely on their expertise and abilities to do whatever they do, and if they can't explain it well that's OK so long as they truly understand it.

  3. Explain it fully. This includes the brilliant Haynes Manuals using diagrams and professional photographs to illustrate and simplify complex tech topics for non-experts, and in stark contrast the often mind-numbingly boring academic textbook approach. Those experts in paragraph #2 rely heavily on textbooks, along with explanations, demonstrations, practicals and more - in other words classroom learning - both to pick up and to pass on their skills. The author, teacher, lecturer or mentor's inspirational role is critical here, for instance combining knowledge and experience with insight and passion, plus hopefully the social skills to interact positively with the class or other audience.
  4. Let the audience drill-down for more. The Web is brilliantly suited for this style of explanation and exploration of a topic. Notice how paragraph #1 above is reasonably self-contained and readable as it is, but there are embedded hyperlinks with more information. Whether you took the bait and clicked the links is up to you, not me: all I did was provide the context and brief clues about what you might find there, in effect recommending them to you. Likewise with the linked pages: they too had further links and so on - a practical implementation of the hive mind concept thanks to the brilliance and foresight of Sir Tim Berners-Lee [tips brim of imaginary hat]. 
In relation to information security awareness, then, these and other techniques are all viable and useful approaches. I'm very conscious of my own preferences, and I appreciate that my default style of explanation (including this very blog!) is long-winded and dull to some, but this is just a part of what we do. We clarify our understanding by delving quite deeply into a topic, then gradually pull back out for the broader higher-level perspective, hopefully finding interesting angles along the way.

After this weekend, I'll blog about the flip side, the preferred learning styles of various awareness audiences, along with the issue of topics, themes and messages.

Gary (Gary@isect.com)

No comments:

Post a Comment