NBlog July 31 - August's cyberinsurance awareness module released

A few hours ahead of schedule, we've just sent customers August's package of security awareness materials covering cyberinsurance - a new field, a novel awareness subject, and the 62nd topic in our bulging portfolio.

Cyber risk is an increasingly significant concern to organizations that are critically reliant on IT systems, networks and data ... and can you think of any that are not critically reliant?  Aside from the direct, immediate impacts (losses and costs) and effects on business systems, networks and data, cyber incidents may have devastating business consequences if supply chains, perhaps even whole industries and nations are affected. The risk extends throughout and beyond the corporation.

Arguably the most effective way to reduce cyber risk is to avoid risky business activities altogether … but naturally that means forgoing the business benefits of those activities.  It's not even possible in some cases.

The next best option is to mitigate or reduce cyber risks using cybersecurity controls. These can be complex, costly and imperfect, but at least the activities can take place. Security professionals naturally favor this option: it's their home turf ... but it's not the only way.

Sharing or transferring risk to third parties (such as insurers and business partners) is the subject of August’s materials ... and I'll have more to say about that during the month ahead.

Finally we have the option to accept cyber risks that have not been treated (eliminated or reduced) in other ways – actually, ‘option’ is a bit misleading since some cyber risks have to be accepted, regardless: there is no choice. Risk acceptance is the default, leaving us exposed to the possibility of cyber incidents and the consequences thereof.

In short, cyberinsurance reduces the amount of cyber risk we have to accept.

The NoticeBored module delivers 60 Mb of cyberinsurance awareness materials:

If you're quick you can get all of that for just $100 through our mid-Winter sale: a whole year's awareness content will set you back $1200, but you'll have to hurry. Once Spring is sprung, we'll revert to our normal pricing. And look what turned up this morning ...

NBlog July 30 - lambs, more lambs

Despite the looming end-of-month deadline, we managed a few hours off this weekend to visit friends across the bay, passing this little threesome en route, the proud mum with her newborn daughter and son enjoying a bright and sunny but bitterly cold NZ day, so cold in fact that our water pipe froze this morning. 

Think of us as you Northerners head-off to the beach for your summer vacations. We're fine, really, we're OK.  We have thick woolly coats.

The cyberinsurance awareness module is virtually finished, with just the proofreading and any final corrections left. I'll package and publish it for customers tomorrow, updating the NoticeBored website and this blog with information about the new materials - more than 30 items and 60 Mb of brand new awareness content, on a cutting-edge security awareness topic. 

We'll be drawing our mid-Winter sale to a close at the same time, so if you've been thinking about 'doing' awareness, your big chance to take out a NoticeBored subscription at an unbeatable price is almost up.  

NBlog July 29 - Spring is in the air

As we head inexorably towards Spring, it's peak lambing season down here in New Zealand.  

We have three woolly bundles huddled down in the paddock already, their little knees knocking whenever a cold Southerly blows in from the Antarctic.  

The remaining heavily-pregnant ewes have been doing their breathing exercises for weeks, waddling laboriously around and complaining about their backs. Their bags are packed, the route to the birthing suite laid out and well-practiced.

Meanwhile the rams can't settle, frequently checking their mobiles for The Call. Having missed prenatal classes, they are somewhat perplexed at the activity and noise just the other side of the fence ...

NBlog July 28 - Hinson tips for risk workshops

A qualitative Risk Analysis typically involves holding one or more ‘RA workshops’, bringing together a bunch of experts in risk (including but ideally not just information risk), information security, compliance, IT, internal audit and the business (concerned managers, business continuity people) etc. with a competent facilitator (again, ideally someone outgoing with a background in information risk, possibly just a brilliant facilitator with an interest in making it happen and a successful record!) to organize and lead the session/s.  

Here are my hints on organizing and running RA workshop session/s (based on my personal experience and prejudices: your approach will vary!):

1. Do some preparatory work before even booking or inviting people to the first event – in particular, consider the purpose. What do you expect the organization to get out of it? Why should people invest their valuable time by participating? Find out how other kinds of risks are analyzed/assessed normally, and how workshops are typically run. Speak to supportive senior managers to get them on-board with this – their support, and ideally their participation, will be invaluable. Start talking to other potential participants to sound them out, informally, and hopefully get them engaged/interested if not actually committed to participate (note: ‘participate’ not ‘attend’!). Once word gets around and others start to enquire about joining in, it’s time to press ahead to phase 2 …
   
   
2. Based on the availability of key people, decide on the (first) session date, book a suitable meeting room or videoconference facilities, and send out invitations with a clear description of the purpose. Ideally send out background info too, such as  an outline of relevant information risks already identified and managed, plus items for discussion such as further info risks that perhaps ought to be assessed and treated too (e.g. based on recent incidents, within the organization or elsewhere). Perhaps give people some homework to do before the session – at least a few issues to consider and hopefully get them in the right frame of mind for a productive session. Work closely with the facilitator (if not you) and other key players. Think about how the session/s will be run – perhaps even rough-out the agenda.
   
   
3. Keep promoting the event/s. [It may be possible to complete the whole thing in one session, but I suggest leaving open the possibility of further sessions, follow-ups, focus groups or whatever might be needed to explore some aspects in more depth, or simply to complete a wide-ranging analysis. It may be hard to convince people to commit to a lengthy and laborious process, so be sure to clarify the benefits: explain why this is a worthwhile and necessary investment of everyone’s time! The payoff includes awareness, understanding, collaboration, decisions, agreement, authority to proceed etc. …]. Spend time contacting and meeting people, explaining what is going on, reiterating the purpose, and generally lining things up. Send out reminders a week or so before the event. Via or in conjunction with those supportive senior managers, apply thumbscrews to any key people who are still reluctant to participate. As a last resort, persuade them to attend key parts of the session (beginning, middle or end – wherever they will gain and provide most value).
   
   
4. Meanwhile, get things ready for the event itself. You’ll probably need whiteboards, for instance, but what else? How will the session pan out? What’s the agenda and timescale? How will things be recorded, and by whom? What outputs are to be generated? What inputs/info might be needed, or should be accessible? Order coffee and donuts! 
   
   
5. Think about the team dynamics and personalities of those who will participate. Are there shy people who need to be supported to open up?  How? Are there assertive ones who may need to be gently restrained? How? Are there bones of contention, hot buttons to be pushed, parked or avoided? Who are the diplomats, the most powerful, well-connected and well-respected people present who can help keep things running smoothly and on-track? 
   
   
6. There are lots of ways to run the session: my personal favourite involves first setting the background and explicitly agreeing the objectives, then getting people to write down their initial thoughts/ideas on Post-It notes (one per note), then inviting them one at a time to stick their notes on the whiteboard (ideally in related groups) while explaining briefly what concerns them. Don't dominate, facilitate! Let the discussion evolve and continue naturally from there, with gentle guidance as needed … gradually bringing things together by focusing on building, say, a PIG (Probability Impact Graph) or risk spectrum diagram or risk matrix or whatever – something, anyway, that brings sense and order to the thoughts and discussion, drawing out important themes, concerns or issues. Gradually firm up the group’s view of the information risks, relative to each other and perhaps relative to other risks to the organization. Check that you are on-track and meeting the objectives. Put extra effort into discussing and clarifying the main risks, and any issues, concerns or matters still unclear. Pick out and record any show-stopping/surprising comments, agreements, disagreements or decisions for extra emphasis. End by thinking forward to next steps: is more analysis needed e.g. another meeting? Are there already actions arising that need to be initiated and progressed? Who needs to do what, how and by when?Who else needs to be involved or agree to that? End by checking that you’ve met the objectives, sum-up what you’ve achieved, outline what happens next, and of course thank everyone for their active participation.
   
   
7. Follow-up. At the very least, tidy up the records and outputs of the session and circulate them to participants and other interested parties (possibly a brief overview for everyone – it’s a security awareness opportunity after all!). Get going on those actions arising e.g. update your risk register, Risk Treatment Plan, budget proposals etc. Make notes on how to make these activities even better next time.

There are websites, books and probably training courses in this area if you need even more guidance, as well as standards and methods for risk analysis and management as a whole. I’ve learnt how to do it by participating in and organizing these and other similar sessions, and by trying stuff out over several decades. It’s exhausting but can be fun and very rewarding when it goes well. An effective group is greater than the sum of its parts.

...oooOOOooo...

If risk workshops don't appeal, another approach is to do the initial risk analysis yourself (perhaps with your team or someone from Risk) on the basis of your knowledge, experience, expertise and biases (!), producing a ‘straw man’ that you can then discuss with individuals or small groups, modifying it as you go according to those discussions and further information that comes to light, including incidents and near-misses plus ongoing risk treatments. Work your way systematically up to and then around the management team, plus assorted info-risk-related experts. Every time you discuss it with a new person, add them to the distribution list for periodic updates including notes about recent changes made, to keep them informed as the picture evolves. It becomes a kind of live status report on the organization’s information risks – a metric in fact - that focuses attention on the risks identified, prioritized or ranked according to the consensus opinions of their relative probabilities and severities (or whatever parameters you use). Take the opportunity to mention information security initiatives and challenges, emphasizing how your work relates to risks of concern to the business.

...oooOOOooo...

Although the process (however you do it) is clearly subjective, I believe it would be a huge improvement for many organizations that either don’t do this kind of thing all, or leave it entirely to someone buried away in the deep dark depths of IT or Risk. Stronger interaction or engagement between “information security” and “the business” is invaluable in gaining and retaining widespread support for an ISO27k ISMS, when the time is right.

PS  Chris Hall suggested that it might be worth running workshops with different groups of attendees, giving them the chance to explore their areas of concern more freely perhaps than in a mixed audience:

"You might need to hold a few workshops with different groups of attendees from different business areas. For example, it would not normally be a good idea to hold a risk workshop with both IT techies and some business function people."

NBlog July 26 - terms of art

The day before yesterday I mentioned that we've been discussing terminology and definitions on a couple of professional forums. In exploring the first few terms of art, we've begun peeling back the layers to reveal more complexity beneath. Almost immediately, we realized the need to define some of the terms we were using in the initial definitions - the very reason that our glossary is sprinkled with hyperlinks.

Discussing the core term, "risk", we've danced around various ways to express some combination of probability or frequency of occurrence and projected severity or magnitude of impact, losses and other adverse consequences.  

"Information risk", then, relates to incidents involving or affecting information, hence "information security" involves measures to reduce or limit the number and/or the severity of incidents involving or affecting information ... which is markedly different to the common definition along the lines of 'protecting the confidentiality, integrity and availability of information' - although I guess the two could be combined, if necessary.

Aside from those particular points, the discussion has set people thinking and talking: as an awareness-raising technique, it has worked, to some extent anyway. As is normal for virtually all awareness activities, a small proportion of the audience has actively engaged and responded: the vast majority have remained silent. Whether they are watching with interest, on the point of speaking up, livid with rage and so unable to express themselves coherently, or simply tuned-out and away-with-the-fairies we don't know - probably some mix of those, and perhaps other attitudes.

That thought suggests another possible awareness metric - a survey of opinions among the intended audience of a corporate infosec awareness program about the program, their engagement with it, interest in it, perhaps exploring the reasons why they feel the way they do. Provided the survey was carefully designed and competently executed on a reasonable sample of the population, it should generate useful, actionable insight with, probably, a few focal points in need of improvement. Aside from any weaknesses, it might also confirm the program's strengths (e.g. if people are happily enjoying, absorbing and learning from the information provided without the need to get actively involved, that would not be a bad outcome - a basis on which to build at least).

NBlog July 25 - glossary as an awareness tool

By coincidence, two of the professional groups/discussion forums I frequent have both been discussing terminology today.

It takes a particular personality type to enjoy discussing terminology, in depth. It requires both tight focus and a broad appreciation of the field. It helps to be well-read, since terms and concepts generally emerge from study or research that may be obscure. It helps also to be open-minded, since terminology is one of those things that fires-up experienced and knowledgeable colleagues: the passion is almost palpable! I'm not at all worried about being "put straight" by respected gray-beards - we all give as good as we get, part of the cut-n-thrust of professional discussion.

Some might consider us anally-retentive. 

On the other hand, the information content of language is critically dependent on the meanings, interpretations and implications of the words we use. In relatively new and complex areas such as information security, misunderstandings and confusion stemming from limited or inappropriate vocabulary can be inconsequential, mildly annoying or problematic, depending on the context. On top of that, language evolves naturally as a consequence of how it is used in social intercourse. There is plenty of wiggle-room. 

Anyway, today we've been discussing the meaning of about a dozen core terms of art in the field of information risk and security. Although I don't intend to expand on the definitions and discussion here, it's a chance to raise a more general point about awareness and training.

Explaining terminology is an important part of any decent awareness program or training course. It helps set the scene for both the audience and the authors/presenters/trainers. It differentiates relatively superficial from more in-depth approaches - the former gloss over the details anyway.

We maintain an extensive information security glossary, updating and re-issuing it every month in the course of developing each batch of awareness content. Any specialist terms used in the definitions are hyperlinked to their own definitions, making it interesting (fun even!) to follow one's nose from term to term, hopefully discovering and learning new stuff along the way. It reminds me of the joys of browsing dictionaries, encyclopedias and most of all Roger's Thesaurus when I was young (yes, a long, long time ago, pre-Google, when we thumbed through reference books made of a substance known as paper).

At the same time, I'm not a professional lexicographer. The glossary is a valuable working tool, not a formal academic treatise. We quote numerous "official" definitions from various "official" sources such as ISO/IEC 27000, but in most cases we add our own pragmatic definitions - particularly when the formal ones are too obscure, narrow or plain misleading for our purposes.

Here's a tiny extract to demonstrate its style:

I added "Actuary" today, in connection with August's awareness topic, cyberinsurance. Along with other terms relevant to cyberinsurance, it is picked out in red. In the definition, "data" and "risk" are underlined hyperlinks to their respective definitions ("risk" is pink because I've followed that hyperlink to check and update the definition, following today's exchange on the forums). 

Some of the definitions (such as that one for activist) are a little tongue-in-cheek because they amuse me, and hopefully those little nuggets of humor spur-on the intrepid reader who has the interest and the stomach to browse an information security glossary. Our aim in awareness is not just to educate or inform, but to entertain and engage - a delicate balance. 

The whole thing is now a little over 300 A4-pages, defining over 2,000 terms with over 80,000 words in total, growing a further page or two most months.  If you'd like a copy, download the PDF for less than $5.

NBlog July 22 - ISO27k for GDPR

Someone just reminded me that nearly a year ago I wrote a document mapping the EU General Data Protection Regulation requirements to an ISO27k Information Security Management System.

The idea is to demonstrate how the ISMS satisfies most of the GDPR requirements, within an overarching governance framework that has other benefits (since it covers more than just privacy).  

If you find yourself in a bit of a pickle right now, under pressure from management to "do GDPR, and quick!", the mapping document helps by laying out and explaining the requirements. Even if you don't have an ISO27k ISMS at present, and have no immediate intention of implementing one, the structure is well worth considering. Turn GDPR from a challenge into an opportunity!

Download the mapping as an MS Word document here, or as an Adobe Acrobat PDF here.

The mapping was released as part of the free ISO27k Toolkit and is covered by a Creative Commons license, so feel free to share the links with your peers.

Regards,

Gary (Gary@isect.com)

NBlog July 21 - Global Risk Management Survey

Yesterday I blogged about various information sources that keep me abreast of the field. 

Right on cue, here's an excellent example: a shiny nugget I found on the Web today, following my nose from a Google search through several other references and links.

Aon's latest Global Risk Management Survey reports on an online survey completed by business people from 1,843 organizations globally at the end of 2016. 

According to the 2017 report, the top 10 risks of most concern to management are:

1. Damage to reputation/brand 
2. Economic slowdown/slow recovery 
3. Increasing competition 
4. Regulatory/legislative changes
5. Cyber crime/hacking/viruses/malicious codes 
6. Failure to innovate/meet customer needs 
7. Failure to attract or retain top talent 
8. Business interruption 
9. Political risk/uncertainties 
10. Third party liability (inc. E&O)

I've highlighted #5 - cyber risks - because they are so obviously relevant to information security awareness.

Aparently, cyber risks were ranked #1 by respondents from the aviation, education and government sectors. Why might that be?

• The aviation industry is extremely safety-conscious, so I guess they are concerned at the possibility of cyber incidents leading to injuries and deaths, for example through cyber-terrorism. On top of that, fly-by-wire planes are critically dependent on their on-board IT systems so system design flaws, bugs, configuration and operator (especially pilot!) errors can be lethal. The dreaded blue screen of death could be literal. 
• Governments, meanwhile, must deal with sophisticated and well-resourced cyber-attacks by other nation states, while doing their best to protect critical national infrastructures and economies. They also need to address terrorists and criminals, as well as tax-evaders, fraudsters and so on. As they become increasingly computerized, governments are inevitably more exposed to cyber threats.
• I don't really know why the education sector is so worried about cyber risk, except perhaps the fact that kids today are more cyber-savvy than all previous generations, including the teachers and administrators trying to educate them. Hmmm, not sure about that.  [Thoughts, anyone?]

I am surprised the finance industry is more worried about other risks, but then they have to deal with global economics, politics and regulation, so maybe cyber risks are just another challenge!

"Cyber threat has now joined a long roster of traditional causes—such as fire, flood and strikes—that can trigger business interruptions because cyber attacks cause electric outages, shut down assembly lines, block customers from placing orders, and break the equipment that companies rely on to run their businesses. This explains the dramatic rise in ranking, from number nine in 2016 to number five this year. For survey participants who are risk managers, they have voted it a number two risk, probably because cyber breaches are becoming more regulated, with many companies in the U.S. and Europe facing mandatory disclosure obligations. Similar requirements are being introduced in Europe and elsewhere. As a result, cyber concerns will continue to dominate the risk chart ... About 33 percent of surveyed companies are now purchasing cyber[insurance] coverage, up from 21 percent in the previous survey."

Regards,

Gary (Gary@isect.com)

Navigating the World Wide Warren

A while back, this blog made it onto Feedspot's top 100 infosec blogs. Today, I finally got around to displaying our medal. Thanks Feedspot. I'm honored to be listed among such awesome company! 

A couple of times lately, I've been asked how I manage to keep up with the field for our security awareness and consultancy services. Good question! 

Blogs are an excellent source of information and inspiration. I track a bunch of blogs routinely through Blogger - roughly 40 on my reading list at the moment although some of those are in fact feeds aggregating or streaming an unknown number of individual blogs, and some relate to my hobbies and interests outside infosec. Yes, I have a life! The trick with blogs is to find and track the more creative bloggers who consistently generate good stuff, discarding those who only ever re-post other people's efforts, adding little if any value. [Yes, there are blogs in Feedspot's top-100 that I ought to be following: systematically checking them out and adding the best to my reading list is another task on my to-do list.]

I browse a few favourite magazine sites from time to time, such as The Register. Well-connected journalists come up with interesting stories. I most enjoy articles that take different angles and scratch below the surface, pulling together facts and opinions from various sources that I would otherwise have missed. [A decade or more ago, magazines and newspapers were also good for actual news, but these days social media outpace them most of the time.]

I enjoy well-written books and maintain a decent office library. In contrast to the other sources, most books go deep, requiring more effort and concentration ... but the reward is a deeper appreciation of a topic area, including conceptual frameworks.

Talking of gossip, I enjoy being part of various online discussion forums and professional/industry groups. Mostly it's a slog, though, with the vast majority of participants contributing nothing at all - it's just take take take for them. Aside from the few who actively post and discuss stuff, the rest somehow seem to suck the life out with their deafening silence. 

RISKS-LIST is a remarkable resource, thanks to the tireless efforts of its moderator since the dawn of time, as much as the contributors. I doubt there has been a single issue that didn't contain at least one item worth exploring further. 

Linkedin posts by members of a few infosec-related groups or my connections are worth hunting down. However, the deluge of marketing tripe is a serious problem - far too many 'social media marketing experts' putting the din in Linkedin. The abysmally low signal-to-noise ratio means a lot of wasted time, distractions and annoyances. I blame the apparent lack of moderation, coupled with a preponderance of vacuous advertisements spewing forth in the guise of news, like so many home-shopping channels on speed.

Personally I'm not into Twitter, Facebook and the like. I just don't have the time for such trivia.

Google rocks! The search engine is awesome, albeit a little annoying and inconsistent at times. The intense focus on whichever web pages make it to the top of the search results is a concern since there are bound to be more innovative nuggets buried further down the list. Perhaps Google ought to give us the option promote a few matching sites at random into the search results we see? Meanwhile, I make good use of the search options and syntax to dig out what's new. [Blogger is a Google service so this very blog would be off-the-air without Google.]

Lastly of course, there's the World Wide Web, without which we'd still be stuck in the Dark Ages. All those blogs, groups, journalistic pieces and search results are basically just pointers to the gold, not the gold itself. Original research papers, surveys and articles are how I really find out about infosec. Industry journals such as ISSA and ISACA's Journals often publish meaty, worthwhile, peer-reviewed content with traditional references to their sources ... leading me down deep dark rabbit warrens that I first learnt to navigate when doing my PhD way back in the 80's. 

So that's how I keep up with the state of the art. Almost anyone can do it: all it takes is about 12 hours of intense concentration per day, a lifetime's interest in scientific research ... and a million rabbits.

NBlog July 19 - drawing order from chaos

We're plugging steadily away on August's awareness module on cyberinsurance, with nothing much to report today ... but I will just mention the word cloud.

The clutter represents (figuratively) how cyberinsurance words appear to people who hear or read - but don't really understand - them. 

Words that are relatively commonplace or more relevant to the topic are emphasized in a larger font size to stand out from the remainder but other than that it's obviously a jumble. 

Helping people make sense of the topic is a general aim of awareness materials and programs of all kinds. We bring out structures and relationships within the topic area, and between this and other topics, forming a mesh or framework to aide understanding.

As well as being a useful illustration for the module, the word cloud reminds us to be clear as we prepare the materials, taking our varied audiences into account. The complexity varies both from topic-to-topic and within any one topic area: a signficant part of our job is to simplify and explain, ideally without just glossing over or ignoring those complexities. We can reasonably expect the more experienced professionals in our audience, for example, to be more willing to tackle and grasp the details than workers in general. They have different backgrounds and needs. Awareness programs that only provide superficial information offer little value, while expensive, in-depth training courses are only appropriate for specialists ... leaving a void in the middle ground that we are filling.

As well as the word clouds, the mind maps, diagrams, poster images and other graphics, plus the written or spoken words, build a picture that makes sense.

In short, we're drawing order from chaos.

Regards,

Gary (Gary@isect.com)

NBlog July 18 - awareness + training = learning

"The Trouble if Security Awareness Training Is Mainly a Penalty" is a well-written piece by Dan Lohrmann on the Government Technology website, expanding on several points relating to personal motivation and corporate culture.

"I believe transforming the security culture still remains our greatest challenge as we head toward 2020. But how can we get to this elusive “culture of security” while balancing the cost, benefits and many other business priorities we face? As we think about people, processes and technology, what can we do to enable people and reduce risk over time?"

One of the concepts or approaches Dan discusses is 'just in time training', a buzzword which implies doing away with general awareness activities in favor of something more focused on the specific needs of individuals. I believe that is known as 'training' (!) which certainly has value ... but still I maintain that awareness and training are complementary approaches - neither the same thing (despite widespread use of the misleading term "awareness training"), nor alternatives. Both training and awareness are valuable.

Let me explain with a familiar example. 

Most of us learn to drive through training - normally intensive, one-on-one guidance by an experienced, competent and qualified driver trainer, someone who coaches and leads us through the process of acquiring the knowledge, skills and capabilities necessary to pass the driving test. 

Driver training is expensive in terms of the fees plus the time and focus required. You can't really learn to drive without giving it your full attention. In the early stages, the manual coordination required to get the vehicle moving in roughly the right direction, and to stop when required, is mentally challenging and physically tiring. Later on as our competence increases, we become more relaxed ... unless/until something unfamiliar happens (such as someone turning across our path) when the instructor's dual-controls come to the rescue! 

Training has a specific goal - passing the test - plus broader objectives such as safety. Learning the 'rules of the road' is a particular aim, covering relevant laws (such as staying within the speed limits) that are likely to affect the outcome of the driving test. 

Most of us learn about road safety through a more general, informal style of learning, closer to awareness. We may be explicitly taught specific skills such as crossing the road safely at marked crossings, but mostly we learn to be safe on the roads in a gradual, life-long experiential process - we experience and figure out how to deal with hazardous situations at first hand. Even if the speed limit is 50, we discover that rain, snow and ice materially affect changes of direction or speed, hence the safe speed may be much less than 50. Hazardous road junctions, kids playing and (other!) unrestrained animals may have been pointed out by our instructor, mentioned in official guidelines, even brought up by TV advertisements ... but facing actual incidents, for real, really brings the warnings home at a more emotional than intellectual level. We literally gaps and shake.

That describes a conventional approach, although of course there are variations - advanced driver training, for instance, and self-training. I doubt anyone would seriously suggest doing away with training or awareness: they complement and support each other.

Finally, if you're not already confused enough, in everyday language 'training' often refers to fitness training, specifically. People get physically fit by exercising. In a broader sense, exercises are an excellent way to learn things by going through the motions, practicing behaviors in a deliberate, conscious way in the hope they will become automatic even when we are in a panic. Fire evacuation, penetration tests, case studies and business continuity tests/rehearsals are all exercises: whether you think of them as training or awareness is moot. Either way, we know they work. They have their place. 

Regards,

Gary (Gary@isect.com)

NBlog July 17 - cyberinsurance metrics

To illustrate the need for cyberinsurance, we'll be using commonplace IT incidents that are easy to explain in August's awareness materials, being familiar to or readily understood by the target audiences.

People who don't already know much about insurance may be surprised to learn that such incidents are not covered by traditional policies - at least not for certain, and not in full.  So that's something they will learn.  They will also learn that cyberinsurance is available, and (if properly specified) would cover those same incidents. Probably, and again not in full - another learning point.

So aside from simply learning stuff, what if anything are people supposed to do differently if August's security awareness effort is effective? To answer that requires us to figure out what behavioral changes might be expected to occur in the organization.

One way to think this through is to identify activities that should ideally start or increase, or should decrease or stop, such as:

• Cyberinsurance-related awareness activities should of course increase, for example more visits to the intranet pages on this topic, awareness materials being downloaded, people attending seminars etc.;
• Workers in general ought to be thinking and hopefully chatting about cyberinsurance:
• It should feature on relevant agendas e.g. in information risk and security management meetings, and perhaps board or exec team meetings;
• Managers and professionals should start thinking of cyberinsurance as a commercially viable way to treat cyber risks, for instance including it explicitly as an option to consider in related policies, pprocedures, guidelines and checklists;
• Cyberinsurance terms should crop up more often in various internal communications (aside from the awareness materials, that is), such as emails, memos, reports and casual conversation;
• Someone should start digging out and checking through the fine print of existing insurance policies, and if appropriate procuring, negotiating or renegotiating cyberinsurance cover;
• There should be an increase in the associated procurement and insurance activities;
• Studies, reviews and audits may be conducted in this area;
• There will probably be demonstrable management decisions in this area e.g. approval to (re)negotiate cyberinsurance and spend money;
• There may be budgetary impacts if cyberinsurance is increased and/or conventional insurance is pared-back; 
• There should probably be a reduction in the level of residual information risk that is accepted by the organization, as other forms of risk treatment (not just cyberinsurance) increase;
• People should stop naively thinking of insurance as a catch-all solution to all their cyber problems.

Anything that can be observed to change can be measured, hence our analysis is a basis for identifying possible information security metrics in this area. It supports the GQM approach through which one identifies business Goals, poses Questions arising, then comes up with Metrics that would help answer the questions and so fulfill the goals. 

Despite cyberinsurance being such an unusual and arguably esoteric topic, this amply demonstrates the nature and depth of analysis required to come up with valuable security metrics in general - all of which is fueled by effective security awareness. 

Regards,

Gary (Gary@isect.com)

NBlog July 14 - the infosec pitch

A couple of days back I blogged about being more concise and focused in my writing. Today, with that in mind, I wrote the 'elevator pitch' on cyberinsurance. The whole point of the pitch is to get straight down to business so normally we manage to squeeze the key awareness message/s into about 150 words. 

This month's pitch is just over 100 words (700 characters) and I'm wondering how far we could squeeze it if we really tried. It is feasible to sum up, say, cyberinsurance in a single tweet?

Well, yes, I'm sure we could concoct a message of less than 141 characters ... but why? Are people honestly so snowed-under with information that they can only spare us a few brief seconds? 

Advertisers face the same issue, hence those lame tag lines we see/hear so often (in NZ anyway) tacked on the end of the ads - things like "The real thing" and "I'm lovin' it". They've reduced the message to the point that virtually all meaning is lost. They have become symbolic rather than literal. The primary purpose is not to express anything so much as to trigger brand recognition. I bet you know which products those tag lines are associated with, right? Ker-ching!

Advertising is different to security awareness, although we have a fair bit in common. We can't rely on monotonous, ad nauseam repetition of our awareness content - or can we? Actually, we can, but at a deeper level than commercials. Beneath the superficial layers, we are constantly circling around and refreshing core messages about information risk, security, privacy, governance, responsibility and so forth, important concepts and principles underpinning all that we do. In a sense, the rest is just fluff to fill the screen.

As to tweeting, Donald Trump is kindly conducting a live experiment for us right now. He's certainly getting plenty of coverage: his tweets generate a surprising number of column-inches, although a lot of the reporting and commentary seems distinctly cynical or sarcastic. Is it meaningful communication? I'm unconvinced.

NBlog July 13 - building on awareness foundations

Cyberinsurance is one way to treat some cyber risks. Which ones?

That disarmingly simple question has taken next month's management seminar down a couple of interesting avenues.  

The first concerns the nature of cyber risks that one might reasonably expect to fall within the remit of cyberinsurance. Most don't. Insurers are particular about the kinds of risks they accept, actively managing their own risks and businesses.

Second is the distinction between insurance customers' 'reasonable expectations' and the reality of how policy terms and conditions are actually interpreted by the insurance companies and industry, the legal profession including the courts, and the regulators. 

We can explain the first issue quite easily using the PIGs (Probability Impact Graphs) that we provide in the awareness materials most months. Thanks to repeated prior exposure, we don't need to explain the PIG graphic to the audience laboriously, from first principles: we can leap directly into discussing distinct areas or groups of risks on the PIG. In other words, we are building upon the foundations of information risk and security awareness laid down in previous months, making reasonable assumptions about the audience's knowledge and understanding of the underlying concepts and taking them up a level. 

That's cool! It applies very broadly, not just in this specific case. A security-aware workforce starts at or above the ground floor in knowledge terms, not down in some cold, dark, damp and smelly basement.

Regards,

Gary (Gary@isect.com)

Mid-winter sale

It’s f-f-f-f-freezing down here in New Zealand, so we’re spreading a little warmth.  

If you're quick, your first year’s subscription to the NoticeBored security awareness service will be  US$1,200.  Yes, just 100 USD per month, regardless of the size of your organization,  for the very best security awareness content available.

We’ll even throw in the usual welcome gifts (the policy suite and Infosec 101 module) for free.  

This is a very special price, available to the first 50 new customers only ... so don’t delay, get in touch straight away.

To take advantage of this offer, simply mention “nuts off” in your inquiry.

If $100 is still too much for you, send us your sob story.  Persuade us that security awareness is not even worth $100 per month to you.  

Go ahead, make my day.  Seriously.

Gary  

Gary@isect.com 

NBlog July 11 - on strike

At the weekend I drafted an article, circulated a link to the draft and invited feedback from a bunch of friends in one of the groups I belong to. We had been chatting quite animatedly about something of interest to the group for a good week or more, so I tried to capture the essence of the discussion, doing my best to reflect all perspectives and express the central points.

Normally when I write stuff (such as this very blog) and circulate it asking for comment, I get next to no response. Often nothing at all. Nil. Nada. Zip. As if nobody even saw it, let alone had anything to say. 

[... cue tumbleweed blowing through Gulch Creek to whistling wind ...] 

This time, the exact opposite - loads of responses and plenty of interaction, almost too much in fact!

At first I put it down to the fact that a couple of outspoken friends were a little upset at some of the things I wrote in the draft which, admittedly, were a bit edgy, contentious you could say but not intentionally inflammatory. Anyway, they were evidently goaded into responding quite sharply, making their feelings clear to all. My article had lit the blue touchpaper. 

So, I thought, perhaps my writing should be more contentious in general, if that's what it takes to fire up a response?

At the same time, however, several others responded in support of what I had written, with a few improvement suggestions and other comments. There followed a couple of days of to-and-fro as we kicked things around on email, while I revised the document to knock off the most pointed bits and incorporate various suggested changes. We all pulled together and the article benefited as a consequence.

That made me think about passion: everyone who had expressed an opinion was passionate about the topic, as is the group as a whole. Some were fairly emotional in their responses while most simply wanted to explain their points, dispassionately arguing for various changes, including counter-points to the two who were upset. 

A few told me the incomplete, rough draft was so inspirational that they are already circulating it! What an ego-boost!

On reflection, the group members' passion for the topic is probably what sparked such as dynamic exchange, rather than contention ... or perhaps it was both, or something else entirely such as the typos in the orignal? I'm not sure. 

What is clear to me, though, is that I need to make changes to how I write stuff, or what I write about, if I want to get any kind of response from the audience. It feels like I'm battling enormous intertia out there (yes, that's YOU!) and/or my stuff is being lost in the noise. We have so many streams of information coming at us from all directions, a veritable tsunami, that we can't possibly deal with it all so inevitably we are force to prioritize. The rest is consumed and disappears.

So now I'm looking for clues about how to raise the priority of information security, how to strike the spark that ignites the same level of passion that drives me to write this stuff in the first place. 

Although this may be a philosophical muse, it is directly relevant to security awareness. If our awareness content is lost in the noise, we might as well not bother. You could even argue that we're adding to the tsunami - part of the problem rather than the solution. 

Hmmm. Could I have expressed all this in a sentence, a tweet perhaps, a few millipictures?

Don't bother commenting on this blog. I know you've got more important things to do. Don't worry about me, I'm fine. No, really, I'll cope. Move along, nothing to see here. Next.

Regards,

Gary (Gary@isect.com)

NBlog July 7 - peering through the mist

We've started working on August's NoticeBored module, covering cyberinsurance - a new security awareness topic.

As with all cyber-things, our first task is to define what we mean - easier said than done, given that cyberinsurance is a neologism, a newly-coined term that means different things to different people and organizations (not least the insurers!). It is often used informally without much effort to clarify the meaning, or in distinctly biased and narrow terms by insurance companies promoting their particular products - smoke and mirrors maybe.

For the module, we'll explain cyberinsurance in the business context of commercial insurance ... which means we also need to describe the various forms of commercial insurance, so I've been exploring the web to find out more about that. It's quite confusing so one of our tasks this month is to simplify and structure things for the awareness audiences.

It looks as if management will be the primary audience for this topic. Some managers may already know about cyberinsurance and have it in place, but I suspect it will be new to most. There are strategic, policy, risk management, governance and compliance aspects to draw out, as well as the commercial side and more practical angles (such as the possibility to draw on insurers' expertise for assistance in times of cyber-crisis).

For professionals, aside from describing what cybersecurity is about, we will probably discuss the need to put other controls in place to reduce the probability and impact of cyber incidents, taking care to fulfill obligations stated or implied by the policies in order to treat the risk of cyberinsurers refusing to pay claims in full. We'll make the point that those things ought to be done anyway and should not be perceived as a burden imposed by the insurance.

For the general employee stream, as well as outlining commercial cyberinsurance, we can describe those forms of cyberinsurance aimed at individuals and families. Taking it back to basics, we might also need to explain the concept of insurance as a whole, in terms likely to resonate with the audience.

So, as you see, the scope and purpose of the module is emerging from the mist and should become crystal clear in the next week or so. 

Regards,

Gary (Gary@isect.com)

NBlog July 4 - how many topics does your awareness program cover?

A piece on LinkeDin set me thinking this morning - actually several pieces did but I shall spare you my cynicism, other than to say that the unbelievable din of superficial marketing tripe, me-me self-promotion and sycophantic back-slapping on LinkeDin all but drowns out the few grains of useful content. 

But I digress.

Bucking the trend, IT Security Basics: A Basic IT Security Awareness Program for Your Employees by Marc Krisjanous does what it says on the tin, laying out the bare bones of a basic approach to IT security awareness aimed at 'employees' (in other words staff, users, the hoi palloi). Do have a read: Marc has some good ideas in there, a step or two up from the most naive approach that is a common starting point for awareness. 

On the other hand, and with all due respect to Marc, it falls short of good practice ... which thought made me mull over the lifecycle, the stages through which awareness programs typically develop, in other words another maturity scale.

-------------------------

[Before continuing, please take a moment to do something for me. Work out roughly how many topics your security awareness program has covered to date. I'm not talking about the scope, all those little things merit the odd mention here and there, but rather the specific focal points or issues that the awareness program, materials and activities focus on in some depth. Go ahead, check your list and tot 'em up. I'll explain why at the end of this piece.]

-------------------------

OK, bring on the maturity scale ...

Stage 0 - nothing: there are no security awareness activities whatsoever. That implies several things:

• Negligible security awareness among employees in general, most being totally oblivious while a few may vaguely hope or believe that someone else 'does' security, whatever that means;
• No interest in security awareness by management, presumably including the information/IT security people themselves (if there are any);
• No roles and responsibilities in this area, and zero accountability. When (not if) incidents occur, the organization collectively takes the hit, and nobody feels compelled to do anything about it. Fingers point from each to the other;
• An unnecessarily high level of information risk, hence those incidents I mentioned are likely to be both more numerous and more severe than they need be. Worse still, they come as nasty surprises, out of the blue, despite the possibility being glaringly obvious to any interested, security-aware onlookers (ransomware incidents being a highly topical example).

Stage 1 - starter: at this level, there are some awareness activities but they aren't really planned or managed as such - rather they are one-off or sporadic episodes, with no defined purpose or goal both individually and overall. The topics tend to be a more or less random selection, perhaps picking up on major incidents (such as ransomware) in a reactive way, arguably too late to achieve much benefit from awareness. The awareness materials are basic, to say the least - perhaps a lame poster lifted from the web (quite possibly infringing someone's copyright, since the lack of awareness may extend to the people 'doing' awareness). Stage 1 starter-level security awareness may be better than nothing, but only just!

Stage 2 - basic program: a program involves planning and management of the security awareness activities. Someone cares enough about it to determine what ought to be done and hopefully how and when to do it. However, the basic awareness program is typically run on a shoestring, either totally unfunded or seriously under-funded. There is little management interest or support, except perhaps the desire to do the least amount possible to satisfy compliance obligations (implying management's awareness of those obligations, at least). There's no real appreciation of the value of security awareness, a blind-spot that often extends to IT/cyber and information security in general. Due to the lack of funds, stage 2 programs are necessarily limited in scope and reach, for example targeting "users" (meaning certain IT users) with barely enough content to be worth distributing. This is paying lip-service, although management of stage 2 organizations may be aghast at being so labeled, due to their own lack of awareness.

Stage 3 - funded program: funding may indicate that management truly believes in the value of security awareness, but could also reflect a need to spend some spare cash, compliance pressure from the authorities, or drive from within (either individual leaders or departments such IT, Risk, Legal, Privacy, Audit or of course IT/Information Security). We see the first inkling of accountability at this level, management realizing that if the organization suffers serious incidents, the lack of an awareness program points directly to their lack of governance. However, the awareness program itself may be little more than the stage 2 version, with limited topics, restricted audiences and narrow goals (perhaps still undefined). A minimalist approach is common, limited to external (legal and regulatory) and perhaps internal (policy) compliance. 

Stage 4 - organization-wide program: extending the reach of the security awareness program to take in the entire organization takes things up a notch. It may not be immediately obvious but this seemingly innocuous extension, to me, marks a dramatic change of emphasis from IT/cybersecurity to information risk and security as a whole. A lowly office cleaner, for instance, has important information security responsibilities, even though he/she is unlikely to use corporate IT (except perhaps taking advantage of the guest WiFI to catch up with Facebook on a cheap smartphone during breaks!).  That's true even if he/she is a cleaning contractor employed by a service company, not actually an employee of the organization running the program. [This is why the NoticeBored security awareness materials refer to "workers" rather than "employees": we hope subscribers won't discriminate against third party maintenance people, contractors, consultants etc. working for the organization on-site.]  A nice refinement here is to identify distinct awareness audiences or groups within the organization, developing awareness content and activities specifically designed to appeal to and help them, supplementing the more generic stuff aimed at workers (not just [IT] users, remember!) in general.

Stage 5 - psychology: security awareness and training is adult education in the corporate context. As such, the science behind education is relevant and applicable, particularly the behavioral sciences within biology, including psychology. Appreciating the distinction between 'enforcement' and 'reinforcement', for instance, crucially divides awareness programs that are perceived negatively by their audiences from those that are positive. The typical compliance-based approach essentially involves warning workers about the dire consequences of non-compliance - the personal and organizational penalties arising. Emphasizing the business and personal benefits of addressing information risks through appropriate security controls takes the discussion to a different place, particularly for management. Organizations at stage 5 truly appreciate the need for motivation as well as information, and so take steps to motivate and encourage.  

Stage 6 - training and awareness system: large, mature organizations often have specialized training functions within or allied to HR. Their purpose is to assist with, if not actually deliver, training courses throughout the organization on a range of subjects and levels e.g. induction or orientation courses for new starters, compliance-driven courses, technical and skills-based training, and supervisory/management training. Learning Management Systems often come into play at this stage, opening the door for third party suppliers of training content. The systematic approach to awareness is another, more subtle element of stage 6. Although they usually focus on intensive training courses, specifically, the professionals in training functions often have the background and skills to assist with awareness activities as well, if only they have the time and inclination. They also have more than just a clue about good practice ...

Stage 7 - good practice: there is a diffuse set of characteristics defining or demonstrating good practises in security awareness, including:

• Professionalization - by which I mean employing or promoting competent, experienced and talented security awareness and training professionals (ideally close-knit teams, not just lone individuals), giving them the latitude and support to both do stuff right and do the right stuff. Career progression is important for these people like all others, hence skills enhancement courses, projects and other personal development opportunities are worthwhile for the kinds of people who excel in these roles, and just as valuable as more money (within reason!); 
• Interaction between information security or other specialists and the audiences, particularly in-person presentations, seminars, courses, workshops, demonstrations and so on, supplementing the typically rather dry, drab and lifeless written content. A suite of social skills is needed here, such as empathy ... which can be distinctly challenging for information security awareness people with classic IT/tech backgrounds and other personality types. Having said that, I'm relieved to note that the skills and competencies can be learnt and are certainly enhanced through practice;
• Collaboration among and between specialists in different areas of expertise on shared awareness-related goals (e.g. health and safety plus site/physical security plus information security);
• Standardization - both in the sense of turning the organization of awareness events and the production of awareness materials into repeatable and improvable sausage-machine operations, and by adopting the good practice advice in globally-respected standards such as ISO/IEC 27002 and NIST SP800-50;
• Meaningful metrics - measuring the things that truly matter to the organization in achieving its goals, as a way to enable, direct, drive and demonstrate progress, value, effectiveness, efficiency, maturity etc. If your idea of a good security awareness metric is to graph the number of people who have attended your events, you have quite a journey ahead! Metrics turn standardization into continuous improvement;
• Creativity and innovation - catching the eyes and imaginations of the audience groups naturally helps engage them fully with the program. There are further advantages to being creative and innovative with the content, the formats, the modes of delivery and so on, not least the topics. Given the time taken to prepare and deliver awareness, and for the audiences to absorb and react to it, your awareness topics ought to reflect not just present but future threats and information risks to the organization. Good luck even figuring those out far in advance, let alone preparing sensible content - and I should know: this is a substantial part of my role; 
• High quality materials delivering both breadth and depth. As well as covering fewer topic areas, immature awareness programs tend to be quite superficial in their coverage. Some topics deserve, and some audiences need, more in-depth content, but at the same time it's easy to confuddle the general awareness audience, requiring a finesse to both the awareness messages and the awareness content.

Stage 8 - best practice: going beyond mere good practice, these are the award-winning awareness programs, figuratively if not literally. Best practice programs are outstanding in the field, highly effective and, in short, a roaring success. Their excellence is generally acknowledged by insiders (staff, managers and related third parties) and sometimes by outsiders ... although organizations at this level tend to be in intensely competitive industries and/or in national security, government and defense, they tend to be quite discreet about it. Discretion is part of security awareness, after all!  [Note: awards that can be bought rather than earned don't count, sorry. Integrity is part of information security.]

Stage 9 - cutting edge: whereas creative, experimental and innovative approaches to security awareness and training can come into play at all levels in a limited way, mature organizations that find good/best practises inadequate have little option but to push back the frontiers and strive for the ultimate. They go beyond best practice.  It's not really that best isn't good enough for them, rather they totally accept the value proposition for security awareness and see more to be gained by going beyond the obvious - for example, a genuine security culture means far more than the set of goals on some promotional poster. 

Stage 10 - dissolution: once information risk and security are utterly and deeply ingrained into the entire organization, there may be little need for a security awareness program as such. A strong security culture is inherently self-sustaining as vigilant, alert workers spot and react appropriately to information risks in an almost reflexive manner, hence paradoxically security awareness and training programs become less obvious at this level. The activities still occur but there is no longer any need to point them out since it is almost impossible to find any part of the organization, any person, any activity that is not inherently security-aware. Security has become "the way we do things around here". 

-------------------------

[OK, now, do you have that topic count I asked you for? The reason is that I suspect the number of topics might be a useful indicator of the maturity of an organization's awareness program. Simply divide your count by ten and check the correspondingly numbered stage, interpolating as appropriate. For example if your program has covered 14 topics since its inception, I would guess that puts you part way between stages 1 and 2. You probably exceed the criteria for stage 1 with some aspects of stage 2, perhaps even odd bits from later stages too. If your honest answer was zero, well I hope you would not be too surprised to be labeled a stage 0 organization! Notice the topic counts implied at the upper levels: here we're talking scores of topics, mostly likely spread over several years though since trying to squeeze too much into any one year is bound to be counterproductive: people will become confused and overloaded, tuning-out and disregarding the awareness messages. Notice I'm calling this an indicator, not a rigorous scientific metric based on known cause-and-effect relationships. There are conceivably fabulous awareness programs covering only a few topics, and crappy ones supposedly covering loads. However, I think as a general indicator it might be 'close enough for government work', and virtually free too - a valuable combination in security metrics.]

Regards, 

Gary (Gary@isect.com)

PS  I'd love to know whether the awareness maturity model is sound and whether the suggested indicator works for your organization. You don't need to disclose the number of awareness topics or the stage you believe you have reached - in fact if you are above the very bottom level you are hopefully security-aware enough to realize that such disclosure may not be a good idea. Nevertheless, I'm keen to know if it it sufficiently accurate and helpful for me to develop and publish this blog piece more widely. If not, how can I improve it? What have I missed or got wrong? Over to you ...