One of the IoT security issues we explore in June's awareness module is the use of compromised things as platforms for further attacks - for example not just spying on people but spreading malware or launching exploits against corporate systems and networks, including other things.
While the preceding brief paragraph hopefully makes perfect sense to those who already have a reasonable understanding or appreciation of IoT security, it won't resonate with everyone. Although 'compromise', 'platform', 'attack' and 'exploit' are ordinary everyday English words, we're using them here in a particular context with quite specific meanings. The distinction is important in awareness because we are addressing people with varying levels of knowledge and understanding, ranging from next-to-nothing up to expert. It's fine for them to take away different things from the awareness materials just so long as they all have a reasonable grasp of the same core messages, the learning points. Those form the common ground that we hope will enable and stimulate people to chat about information security matters among themselves, thereby socializing security and ultimately behaving more securely.
One way to tackle the conundrum is to explain ourselves in writing, clarifying precisely what we really mean. That's entirely appropriate and necessary in some cases ... but if over-used the technique quickly becomes tedious*, especially for those towards the high end of the notional expertise scale. Written explanations are a useful means to explain neologisms (newly-coined words) as you see. Written content suits people who enjoy reading, contemplating and learning. It is hard to write about complex topics and nebulous concepts (of which there is no shortage in this field, 'security awareness' for instance!), and especially challenging to write clearly for significant segments of the awareness audience who don't really enjoy or have the time to get into this stuff. After all, that's the very reason we are into awareness!
Another approach would be to explain what we really mean in person, interacting with the audiences (whether individually or in groups), empathizing and responding to their body language (such as puzzled looks) as well as addressing their vocalized questions and comments. Face-to-face interaction is a very powerful and effective way to communicate, making it the most valuable awareness-raising technique. However since we can't personally interact with our customers' workers on a regular basis, we provide customers with the content and motivation to do it themselves ... and that's where things get really interesting. We're doing awareness-by-proxy.
Aside from conventional written awareness materials, we find graphics extremely useful because:
- They are visually appealing, stimulating and engaging, especially for those who don't enjoy or need a break from reading, or indeed talking ('death by PowerPoint' can be an issue for the presenter as well as the audience!);
- They are universal, unlike English: complex technical documentation can be especially tough going for those who aren't fluent English speakers;
- They succinctly express a huge amount of information, not just the literal content but also those ephemeral concepts I mentioned, plus relationships within and beyond the topic area;
- It is straightforward for us to emphasize important stuff and down-play other aspects through judicious choice of images, sizes, colors, juxtaposition and overlays such as words, boxes, lines and arrows;
- They prompt the audience to ponder the topic and internalize the points we've emphasized (hopefully!);
- They are interpreted, live in real time, both by the presenter and the audience, putting across the intended learning points at least but there's plenty of latitude here, far more so than with descriptive text. The particular organizational and social context is often important, such as when someone draws parallels with IoT incidents they have personally experienced.
Here's an illustrative example (literally!) - an awareness image used as a PowerPoint slide concerning the use of things as attack platforms, jumping off points:
There are just 5 words overlaid on the slide and even they aren't strictly necessary if the seminar facilitator understands the message, points out the constituent parts and explains their meaning ... which I'm not going to do for you now. See what you make of it!
You've probably noticed a similar approach with the awareness poster thumbnails scattered throughout this blog and the NoticeBored website.
With very few words, the poster images are meant to make people puzzle over the meaning, thinking for themselves and chatting with their colleagues.
We're explicitly aiming to catch their imaginations, stimulate contemplation and encourage discussion.
The other awareness materials and activities help fill-in-the-gaps so we don't feel the need to explain everything on the posters. In fact that kind of spoon-feeding would be counterproductive.
Along similar lines, we use Visio graphics quite a lot, including mind-maps and diagrams, PIGs for instance.
But that's more than enough words from me for today. Something for you to ponder over the weekend?
* It's ironic that this blog is so wordy. Sorry. [Note to self: cut the words, boost the graphics! Explore vlogging maybe?]