For additional background and insight, we will once again be encouraging NoticeBored subscribers (through the train-the-trainer guide in June's NoticeBored module) to take a close look at their information security metrics, incident reports, Help Desk tickets etc., specifically in the realm of physical information security. We'll urge them to dig out relevant data and anecdotes to pep-up their awareness programs.
Rhetorical questions worth considering:
- What are the most common kinds or causes of physical security incidents? Why would that be? Does that suggest an issue worth exploring further? Is management already on to it?
- Which are the most disruptive, costly or worrying incidents? What makes them so troublesome? Who is or should be concerned enough to take action? What has been the worst recorded incident (so far!) and what prevents it happening again?
- Roughly how much are physical incidents costing the organization per year/month/day? Is that acceptable?
- Do the incidents vary markedly between departments, business units, locations etc.? Why is that? Is there anything worth learning from the best or indeed the worst performing parts?
- Are physical security incidents being (a) reported routinely and promptly, and (b) addressed efficiently and effectively? If not (e.g. if you know of any physical incidents that were not reported and tackled in the correct manner), why not?
- Are there any persistent/longstanding root-cause issues blocking real and sustained progress (such as
lack of awareness and interest at management level)?
While some of these questions specifically concern June's awareness topic (physical information security), the approach is much more widely applicable: anecdotes, data/statistics, reports, findings etc. directly concerning the organization are an excellent source of material for awareness purposes.
The point is that we are not just concerned with information risk and security from a theoretical or academic perspective. There are genuine issues right here in practice, incidents occurring and problematic situations close at hand.
This stuff is real ... so sit up and pay attention.