Welcome to the SecAware blog

I spy with my beady eye ...

29 Feb 2020

InfoSec 101 module released

Whereas usually our awareness and training modules focus in some depth on one of the 70 information security topics in our portfolio, Information Security 101 is a broad but shallow module. It is designed to bring workers quickly up to speed on the basics of information risk and security during security induction courses, for periodic refresher training, or when launching an awareness program.

As soon as a new worker arrives, they start absorbing and being assimilated into the corporate culture, picking up ‘the way we do things here’. Sensible organizations run orientation sessions to welcome newcomers and kick-start the cultural integration.

InfoSec 101 covers common information risks (e.g. malware) and information security controls (e.g. antivirus). The materials are deliberately succinct, outlining key aspects without delving into the details. We’re not trying to tell workers everything about information risk and security all at once but to set them off on the right foot, engaging them as integral and valuable parts of the organisation’s Information Security Management System. It’s a gentle introduction, more splash in the paddling pool than high dive at the deep end!
First impressions matter, so the module helps Information Security, HR or training professionals deliver interesting and engaging awareness sessions accompanied by impressive, top-quality supporting materials. Establishing personal contacts throughout the organization gradually expands the Information Security team across the enterprise - more ‘eyes and ears’ out there. This alone would be well worth the investment!
As well as induction or orientation purposes, InfoSec 101 also facilitates the launch or relaunch of an awareness and training program in support of relevant laws and regulations (GDPR for instance), ISO/IEC 27001, PCI-DSS and other compliance obligations. It introduces the program, quickly bringing everybody up to the same foundation level of awareness and understanding.
Either way, the module is intended to lead-in to an ongoing or continuous security awareness and training approach: it is unlikely to be sufficient by itself.
The seminar slides, leaflets, model policies and other materials advise workers to check out the Security Zone, an area on the corporate intranet managed by Information Security with all manner of awareness and training materials such as your policies and procedures. Along with the Help Desk, the Security Zone is a focal point for anyone seeking additional information and advice. A generic functional specification for the Security Zone is provided in the module to help you set one up from scratch or review and perhaps redesign your existing site.

Download InfoSec 101 today

26 Feb 2020

A good day down the salt mine

The remaining items for the recycled Information Security 101 module are falling rapidly into place. It will be a bumper delivery with fifty (yes, 50) files already in the bag.

One of the regular end-of-month jobs involves matching up the awareness items - the files - with the contents listing and their descriptions in the train-the-trainer guide. Years back I came up with a simple numeric naming scheme to make it easier to get the files in order and link them with the listings. Good thing too: this afternoon I came across one listed item that I've decided to drop from the module, and about three additions that need to be listed and described. There's still a little time left before delivery to change things further and renumber, again, if we need to ... which emphasises the value of these final quality checks before packaging and despatch.

Another part of the quality assurance process is to open and review the content of all the files. This is our last chance to spot speling mishtakes, errror, omissons and half-finished

I've already made a couple of passes through the materials: the first pass often reminds me of things I've brought up in one item that ought to be repeated or reflected in others, so there's a bit of back-and-forth refinement ... but the looming deadline means eventually I have call a halt to the spit-n-polish phase. It's tough for me to stop when the materials are 'good enough' rather than 'perfect' but I console (or is it delude?) myself by thinking that nobody but me will spot most of what I consider to be the remaining errors, while it's unlikely I will ever find a further tranche of errors due to my inherent blind spots.

So I keep calm and carry on.

In risk terms, I'm consciously making a trade-off. I could carry on checking and refining the content indefinitely but I'd blow the delivery deadline. Alternatively I could stop right now and deliver the module as-is, but I'd be distraught to discover significant problems later on ... which does happen sometimes when I re-read stuff I have written, checked and published some months or years earlier. Some of the problems that catch my beady now are genuine boo-boos that I should really have spotted corrected at the time. Some are things I would put differently now because I've changed and the infosec world has moved on. Few are genuine factual errors, but to be honest that's more a case of me making the same mistakes repeatedly, than the perfection of my writing. Evidently I'm only human. I bleed.

Also in risk terms, I appreciate that despite my best efforts there will almost certainly be things wrong with the finished module, but what of the impacts? I'd be distinctly embarrassed to learn of obvious issues, and I might need to correct them at some cost for rework. Some costs are born by our customers for whom the awareness materials don't quite go to plan, although part of their regular activities on receipt of each new module is to check through and customise the content to suit their organization's specific awareness and training needs, their industry/business situation, their information risks etc. I think we can all live with that. Risk accepted.

24 Feb 2020

InfoSec 101 for pro's

Today I'm working on the Information Security 101 awareness seminar for professionals, by which I mean workers with a professional interest in information security. 

As with the staff and management seminars, the aim is to cover the basics in a way that appeals to the audience: I figure the professionals are more clued-up than most, particularly on technology, so it's appropriate to go into a little more depth here on the fundamental concepts ... starting with risk and control. 

The diagram above represents the nature of risk i.e. 'uncertain outcome'. That's a seminar slide's worth, with a few words from the presenter briefly explaining each of the red-amber-green spectra as they appear on the screen.

The next slide contrasts two complementary forms of control: either we stop harmful things from occurring by avoiding, preventing or mitigating incidents, or we ensure that good things occur - and that's an intriguing thought. What does that actually mean in this context? 

'Prevent bad stuff' is what most people think security is all about ... but wait, there's more. 'Protect good stuff' refers to maintaining the confidentiality, integrity and availability of information, thereby supporting and enabling business activities which use and depend on information.

Looking again at those two images, the simpler, cleaner style of the 'control' one seems more elegant and better suited to Information Security 101, so I will redraw the 'risk' one in the same style.  

We could stop right there with a 2-slide professionals' seminar but, tempting as it may be, that's arguably a simplification step too far. An unknown proportion of the pro audience may have no background or interest in this area, and some will doubtless be flagging under the onslaught of this and other induction courses. 

From there, we will briefly cover information risk management and information security management, mentioning a few basic security controls as examples of things we're using to manage information risk.  The seminar will wrap up by returning to the business aspects - the reasons why InfoSec is important. And that's that. Bish bash bosh, job's a good'un. Simple enough when you know how ... thanks to, ooh, 17 years of full-time effort plus a couple of decades before that preparing and delivering occasional courses, seminars, reports and awareness activities.

22 Feb 2020

The educator virus

From time to time, people get all excited about micro-learning, the educational equivalent of eating a chocolate elephant - one bite or byte at a time.

"It's easy", the line goes. "Simply break down large indigestible topics into lots of smaller edible chunks, spreading them out enticingly for people to snack on whenever they feel peckish."

I've tried that with our digital awareness content. For some strange reason, nobody was hungry enough to consume the random assortment of ones and zeroes, hundreds and thousands of bits all over the disk.

Evidently it's not quite that easy. Education is never easy, if you want it to work well that is. Micro-, milli- and macro-learning, online learning, traditional classroom-based courses, webinars and seminars, conferences, educational events, rote and experiential learning, on-the-job training and demonstration classes, mentoring and so on are neither simple nor universal solutions. They each have their pros and cons. 

For one thing, they all just tools in the box. For an educator who happens to be a master craftsman, almost any tool will do, but he has preferences and a range of experience. 

Likewise for the students: some of us like reading and thinking things through in private, or debating the ins-and-outs at length with colleagues.  Others need to be shown stuff, just briefly, or put through an intensive boot camp complete with sadistic 'instructors', hard beds and nasty food. Some appear stubbornly resistant to all known edumacational techniques and do their level best to skip class, and we all have our cognitive issues occasionally.

The fact that there is such a variety of techniques suggests that none of them is ideal for all learning situations. The advice to use, say, micro-learning could be taken to mean "use ONLY micro-learning" but that would be a mistake, in just the same way as "send them to college" or "gamify it"! It's well-meaning but naive silver bullet advice.

Consider how we learn stuff in general. We take classes, go to night school, take driving or diving or cookery lessons, read-up on stuff, watch You Tube vids, read/listen to/watch/contemplate sage advisors, ask someone ... and generally muddle through by ourselves, learning as we go from our successes and failures.

One thing that's common to all those approaches is the student's desire to learn, or at least the willingness to give it a go, try it out and maybe pick up new skills. Without the motivation, the perceived value or payback from their investment of time and energy (and often $$$), learning is less likely to occur, which perhaps explains those stubbornly resistant drop-outs. It also, for some of us at least, explains why a passionate, enthusiastic, energetic teacher can make a world of difference - someone with the skills, knowledge and motivation to teach. Conversely, a dull, uninspired, untalented teacher can suck the life out of even the most interesting topic, an educational black hole. 

If you're an educator, good luck expressing your passion, enthusiasm and energy in micro-bytes, or Learning Management System modules, shoot-em-up games or Tweets, evening classes or lunch-n-learn sessions - preferably several of them. If you're a student, good luck finding approaches that suit your preferences, and passionate educators keen to pass on their knowledge and infect you with their enthusiasm ... for that's how the cycle repeats, like Coronavirus spreading from person to person. 

Give a man a fish and he's fed for a day. Teach a man to fish and he's fed for life ... and maybe one day he'll feel compelled to teach the whole village to fish, provided they can spare the time from their cookery classes that is.

20 Feb 2020

Proceed with caution

Using the Information Security 101 theme I mentioned on Feb 14th, I'm close to finishing the first set of presentation slides with a preponderance of yellow and black. 

Through a carefully chosen sequence of bright, clear images, no bullet points and very few written words, the slides tell a visual story based around risk. The core message is that information security is less a case of stopping the business from doing things, than of being vigilant. 'Proceed with caution' sums it up nicely.

Given the elegance, simplicity and power of those 3 words, I'm not sure whether to elaborate on information risk and information security at all, in fact. I guess we'll mention a few current current threats, some recent incidents and typical controls in the speaker notes but I rather like the idea of leaving it up to the presenter/trainer to decide how to play things at run-time - during the induction courses and awareness program launch sessions for which the 101 module is destined. Some audiences will get it, effortlessly, while others might need a bit more of a steer, more of a clue about the point we're expressing here. 

I've blogged before about my strong preference for images over written words on training course and seminar slides. The audience should focus their energies on understanding what the present/trainer is putting across, rather than reading the words on the screen, and is there anything more sleep-inducing than an inept and often nervous presenter literally reading aloud his own slides, often great blocks of text in a dreadful monotone?

It's not exactly death by PowerPoint, but close. "Take it easy, relax. Your eyelids feel heavy ..." 

The answer is glaringly obvious: swap the written words for diagrams and images. 

Visual impact is doubly important for induction courses since inductees are often assaulted by an avalanche of new information. There's a lot to take in - not just from the slides and maybe handouts but from the speakers/trainers too, plus their new colleagues. If our Information Security 101 materials add to rather than slicing through the information fog, we're squandering a golden opportunity.

This is one of those situations where less is more, so I'm already de-wording, cutting slides and trimming/simplifying/refining the content. When it comes down to it, there are only a few things we really need to say, so I propose to focus sharply on those in a short presentation, leaving a good chunk of the allotted time for the presenter/trainer to interact with the audience in one or more live segments during the course of the presentation and either side of it.

There's only so much we can do to support the live segments. The slides and speaker notes are prompts, and as usual we'll be providing a stack of tips in the train-the-trainer guide in the awareness module - like for instance treating the induction sessions as a valuable opportunity for Information Security to meet and connect individually one-on-one with new starters - putting faces to names.

Since induction sessions run frequently (in mid to large organizations at least), we'll encourage the presenters/trainers to bring up in the live segments whatever infosec-related issues happen to be topical that very day. I have in mind:
  • Recent/ongoing privacy breaches and other significant infosec incidents from the news (international, national or local);
  • Emerging threats and other concerns drawn from recent security alerts, briefings and so on; 
  • Hot topics within the organization - current risk and security focus areas, major projects, business initiatives etc.;
  • Hot topics and concerns from the audience: what would they like to discuss? 
  • Any interesting security metrics (yes, although rare, they do exist!);
  • Hot topics within the profession - nothing too involved, just a glimpse of the challenges we face in adopting novel security technologies and techniques;
  • New InfoSec policies, new standards, new courses, new security survey reports, new people, new controls ... new anything really. It would be cool if inductees joined their departments with tidbits of new knowledge to impart to their new colleagues - something to talk about anyway, and it's all part of socialising security awareness.
And that reminds me: repeated induction sessions mean plenty of chances for the trainers/presenters to practice and refine their techniques, gradually gaining confidence and experience. Personally, I'm cynical about those tedious post-session feedback sheets as a means of gathering audience feedback and scores, compared to the presenter/trainer simply taking a moment to consider their own performance and figure out for themselves what went well, or not. Being alert for audience reactions during the sessions forces the presenter/trainer to maintain eye contact throughout - which is definitely A Good Thing. On top of that, there's nothing to stop someone calling on inductees a short while after to ask them how the induction session went.

19 Feb 2020

Brahms and Liszt

Fueled by a lot of Brahms and a wee tot of rum, half an hour's idle brainstorming on the purpose and objectives for information security awareness generated the following little Liszt:
  • Rites, rituals
  • Rite of passage
  • Ritual slaughter
  • Religions
  • Belief systems 
  • Cult, visionary leader, positional power, faith
  • Sheep, lemmings
  • Wolves, packs, threats, skills
  • Group-think, conformity
  • Compliance, rules, constraints, in the box
  • Individuality, creativity, nonconformity, freedom, out of the box
  • Hippies, communes, cliques
  • Hallucinogens
  • Noncompliance
  • Cultural norms, expectations
  • Counter-cultural, bucking trends
  • Conventions, habits, preferences
  • Automatic behaviours, instincts
  • Socialising infosec
  • Social pressure, influence, shared values
  • Social acceptability
  • Social structures, hierarchies, links
  • Networks and relationships
  • Families, organizations, departments, teams, groups, cliques
  • Nations
  • Interactions
  • Dynamics
  • Pressures
  • Battles, wars, competition for scarce resources
  • Reproductive success
  • Change, complexity
  • Systems, chaos, unpredictability, risk
  • Structure, predictability, stability
  • Maturity, development, continuous improvement
  • Expertise, experience, knowledge, wisdom
  • Best practice

As presented above, you may be able to follow the logic but to be honest it didn't flow forth in that linear sequence so much as a seemingly random jumble of often disturbing thoughts - more nightmare than bedtime story. 

Re and they all lived happily ever after, I'm not at all sure where this is going. Several of those things are obscure, off-topic or taboo (hey, another bullet point!) but as to whether they might or might not be appropriate for inclusion in the InfoSec 101 awareness materials I can't say at this point. It might be fun to elaborate on some of them, a creative challenge for sure and maybe just the thing to connect with audience segments that resist our more conventional approach to security awareness ... but think about your own reactions as you read the list: they might equally confuse or turn people away from the topic. 

The solution to this conundrum, hopefully, is to sleep on it.

17 Feb 2020

Neat and tidy

My perfectionist streak flared up with a vengeance today.

First I spent a productive couple of hours checking and revising the content of our generic/model Acceptable Use Policies, intending to include them in the updated InfoSec 101 module for March. 

Aside from reviewing and tinkering with the information content, this also involved standardising the formatting of the AUPs by using the same MS Word template with specific styles for all of them. The AUPs have been updated at various times in various NoticeBored modules and I noticed that, somewhere along the way, I must have changed the bullets and colouring for the 'acceptable use' and 'unacceptable use' points. Evidently I have also meddled with the boilerplate text that tops and tails each AUP, making them slightly inconsistent. To my beady eye, this will not do! 

Unsure how to name the model AUP files, I toyed with the idea of making a single multi-page document containing them all but customers may not want them all.  Instead I settled on a numeric naming scheme.    

As I was doing that, I noticed the document properties also needed standardising. The properties are stored with each document and affect the directory listings. To get to this picture of neatness ...

... I had to fiddle with the Tags and Authors for each of the 8 AUPs. 

The Tags are easy enough to update but changing the Author property is a little awkward: originally, the Author for all the files was "Gary" which, although technically correct, is not helpful for those who don't know it was actually little ol' me. I decided to use my unique email address instead, and soon discovered that updating the Author of both existing and new Word documents involves numerous clicks and typing. It always defaulted to Gary.

"There must be a better way!" I muttered to myself, and started by exploring the properties saved on the info tab of my Word templates - a bit of a mission since the templates are stored under my profile, and updates can't be saved while the templates are open. Instead, I had to follow this 8-step process:
  1. Create a new document using an existing template
  2. Update the template content
  3. Save the updated file as a template (in my default templates directory - I've been here before) with a new name
  4. Close the open file
  5. Navigate to the templates directory in Windows Explorer (made easier using a previously-saved shortcut) 
  6. Delete the original template
  7. Rename the revised template the same as the now deleted original
  8. Open a new document using the updated template to check it out.
Unfortunately, I soon discovered that the Author property on a Word template does not automatically carry forward to new documents created using that template, even though I am the only user of this PC. Instead, MS Office insists on using the "User name" stored in the General tab of my Word Options ...

Nothing as obvious as "Default author" though, oh no. That would be far too easy. Silly me.

So here I am, some two hours after noticing and deciding to fix those little discrepancies, still not entirely sure I've permanently fixed the problems but at least I've vented some of my angst and hopefully helped some of you avoid the same pitfalls.  If in due course I find the updated default Author does not also apply to PowerPoint, Excel and other Office files, I'll gnaw my knuckles rather bore you with another rant.

Tips on security induction sessions

The InfoSec 101 management presentation is coming along ... but I'll need to rein in my enthusiasm for all things yellow to refocus on the information security essentials: one of the challenges with induction training is keeping it within a tight timescale. 'Speak fast!' is not the answer because the audience probably won't take it all in, given that information security is just one of several important induction topics. It's trial by fire for them.

Some of our customers will have more time for induction training than others, so my cunning plan is to make the 101 presentations flexible. Customers who have the luxury of more time can elaborate on pertinent details and interact more extensively with the inductees. Those short of time may want to skim through or skip some of the slides ... but I hope to encourage them all to make the time to introduce inductees to the information security team. Making that personal link starts the long process of getting to know each other, with benefits on both sides as time goes on. For example, it's easier for workers to email, pick up the phone or drop in on someone they have already met, whether to ask a question, raise an issue or simply say "Hi!". 'Putting faces to names' is, to me, part of 'socialising information security', making it an integral part of the corporate culture. 

On that point, I will be encouraging NB customers to allocate suitable information risk and security pro's to conduct the induction courses, in person. Information Security's 'customer services' or 'help desk' people and experienced trainers are the obvious choices for this job. Furthermore, if the Information Security Manager or CISO or CEO turns up, in person, to say hello and reinforce some point or other (implying a little preparation), that sends a more subtle message about the importance of information security for new workers. It's a powerful technique to cut through the avalanche of information assaulting inductees.

If it is simply not practicable for the relevant InfoSec people to make the time to attend induction courses, other approaches include:
  • Playing a brief 'talking heads' video statement by the ISM, CISO or CEO;
  • A quick live phone call or videoconference appearance by the ISM, CISO or CEO during the session;
  • Showing 'meet the team' biographies - mugshots and a few choice words about the pro's in the InfoSec team (which, in fact, means everyone in the organization, including those currently in the induction session!). 
Another cool idea is to invite inductees to come along to Information Security events and meetings after the induction session - ideally specific, planned events within the next month or two, otherwise any regular or general-access events and meetings ... and in fact that's not a bad idea anyway: these are potentially complementary approaches, not necessarily alternatives.

I have other ideas up my sleeve for making the induction content stickier, more memorable, but that's enough for now. Over to you: what would you suggest?  Comments open! 

14 Feb 2020

This year's InfoSec 101 theme

I've come up with a new theme for the Information Security 101 presentations this year, driven by a visual metaphor.  As I was picking out general-purpose security-related graphics from our stock for the slide decks, I noticed a preponderance of yellow ... which led me to think about warnings in nature (such as the yellow and black stripes of this wasp) and on the roads (driving hazards), plus the classic Red-Amber-Green traffic lights.

RAG colours are a simple visual cue, well suited to a basic induction or awareness refresher module. The concept gradually forming in my head is that we would like to get to green (as in "Go ahead, get on with the business ... safely") and, wherever possible, avoid the reds ("STOP!  Dangerous!"), so amber ("Caution: hazards") is the path trodden by the security awareness and training program. I have in mind using a few reds and greens to illustrate the range but mostly I think we'll focus on those ambers in the middle ground.  

The core message concerns vigilance, caution and situational awareness. We can't be there all the time, pointing out dangers to our colleagues, so they need to take responsibility for their own well-being - for example, hesitating and thinking twice about clicking those too-good-to-be-true offers sitting in their email inboxes and social media messaging.

We can even have a bit of fun with the roadsigns while we're at it, raise the odd laugh or wry smile maybe. Who says warning notices and awareness sessions should be dull and boring?

12 Feb 2020

Terms of art

Yesterday I wrote about the laborious process of condensing our comprehensive 300+ page information risk and security glossary to something much more succinct and appropriate for inductees, new to the organization and the topic. So far, the Information Security 101 glossary is down to just 15 pages but it's not finished yet. I am systematically reconsidering the relevance of each term and, for those destined to remain in the glossary, composing a straightforward explanation that encapsulates the concept in just a few simple words. 

Well that's the aim anyway! I balked at describing cryptography, even though I'd quite like everyone to have at least a rough idea of what it is about. Maybe today the inspiration will come. 

There's a nice bonus to all this: the terms that made it into the 101 glossary will go into a word-grid and possibly also a crossword if there's time. If people find unfamiliar words in the puzzles, they can look them up in the glossary to find out what they mean ... and it doesn't stop there: the glossary is designed to intrigue as well as inform. Any specialist terms in the explanations are hyperlinked to the corresponding entries, encouraging readers to click and read-on, hopefully browsing the whole thing. We want it to be as sticky as a tar-pit for newbies. In millennia to come, paleontologists will be digging out the bones of Novi operatur, a long-forgotten but remarkably vigilant humanoid species from the 21st Century. 

But wait, there's more! We also use word lists to generate word clouds, visual depictions of the topic that again intrigue and inform - this sort of thing:

That's one I created for the 'surveillance' awareness module, an unusual topic that led us through corporate oversight and security monitoring into the realm of spooks and spies. The words on the graphic remind me of our coverage when the module was prepared three years ago - things such as Ed Snowden's revelations about the NSA. For me, at least, visual depictions work amazingly well as memory prompts. I like mind maps for the same reason, using them to analyse, explain and recall the more technical areas, even relatively complex, challenging topics ... hence they often feature in our awareness materials.

Yes yes, I know, it's not all about me! I appreciate that words and pictures, technical content and challenging concepts are not to everyone's taste, so the approach we've taken with NoticeBored was explicitly designed to appeal to 'everyone'. For some people, even InfoSec 101 may be a struggle to understand. At the other end of the scale, some may be bored of the awareness notices or alarmed at our simplifications of deep and meaningful areas they know well. Some may not pay attention unless they are 'shown' stuff or given the chance to experience things for themselves. Some may prefer to figure it out under their own steam. Many will be busy and distracted by other shiny things, especially workers new to the job, being assaulted by induction materials on a host of topics apart from Information Security 101 ... and I hope our valued customers have seized the opportunity to demonstrate to their colleagues in HR, Health & Safety, IT and other areas that being lectured at by an earnest, well-meaning but essentially overbearing and humourless presenter is perhaps not the best way to greet newcomers. A 3 minute video cartoon, or a 10 minute sermon, or some coercive game may work for some, but not all: diversity is the key, plus the stickiness of a tar-pit (you remember!).

Bottom line: there may be no silver bullet for security awareness but we've been delivering golden shotgun cartridges every month since 2003. 

11 Feb 2020

InfoSec 101 terms

Our  information risk and security glossary has grown steadily over the years to a document of 100,000 words over 346 pages defining about 3,000 terms. That's easily a book's worth (maybe we should publish it!), and way too much information for the InfoSec 101 module, so I spent yesterday paring it down to a more sensible size. 

The easiest approach was to chop out obscure/specialist terms and their definitions, then go through again to catch the ones I missed. 

Next I set to work trimming down the definitions for the remaining terms, simplifying the wording and removing the quoted extracts from the ISO27k and other standards and references. 

Some terms are context-dependent - they normally mean one thing but can mean something else. For the purposes of the Information Security 101 module, I've chopped off the 'something else' explanations.

So now we're down to 11,000 words and 40 pages, defining about 400 terms. Still more than I'd like. The most recent 2017 revision of the 101 module included a glossary of 2,000 words and 10 pages defining about 100 terms. Hmmm, it will be a struggle to get it down that far, but I'll give it a go. 

Time for another few cycles of chopping and trimming ...

8 Feb 2020

InfoSec 101

For March, we're working on our final security awareness module, an update to "Information Security 101". Unlike the other NoticeBored modules, this covers several information risk and security topics at a basic level. Its main purpose is to provide a gentle introduction, for example in new employee induction or orientation training, or as a launch module for organizations just starting or re-starting their awareness and training programs, bringing everybody quickly up to speed.

So what should it cover? For the general staff audience, I'm thinking:
  • Information risk and security fundamentals, including common terms
  • Policies and procedures, with a touch of compliance
  • User IDs and passwords ... and why they matter
  • Backups
  • Patching
  • Phishing and other social engineering scams
  • Apps and mobile security
  • Ransomware and antivirus
  • Physical security in the office
  • Physical security when on the road or working from home
  • Cloud, Internet, network and system security basics
  • Vigilance: spotting, reacting to and reporting concerns
  • Who's who - putting faces to the names behind information security
For the management audience:
  • Information risk and security management basics e.g. net value of incidents avoided/reduced less the costs of control
  • A little more on compliance e.g. privacy
  • Roles, responsibilities and accountability, with a little on governance
  • Strategies, architecture, plans and big-picture-stuff
  • Insider/outsider threats including fraud
  • Awareness and training, plus motivation and culture, plus 'executive security'
  • Information security in business relationships e.g. with vendors, partners and customers
  • Security metrics, reporting and systematic improvement
  • Business continuity
For the professional audience:
  • Identification and authentication
  • Access controls
  • Logging, alerting and alarms
  • Cryptography fundamentals
  • Cybersecurity vs information security
  • Intellectual property? Copyright at least
That's already quite a lot. It would be easy to overwhelm people with too much all at once, or conversely to bore them stiff with trivial, superficial, condescending material. We need to find ways to help people navigate the content, touching on all the main points and, if they wish, dipping deeper where appropriate. Most importantly, the content needs to be interesting, engaging and relevant - which is another challenge since that depends, in part, on the business context: key awareness messages are bound to differ in emphasis if not content between, say, a tech company, a bank or a charity. That suggests an initial activity for the person or team receiving and thinking about how to use the awareness module ... figuring out what are the essentials, the things that everyone needs to know?

5 Feb 2020


Once more today I find myself drawn into an interminable discussion over on the ISO27k Forum.

This time around, it's with a member who (as I see it) steadfastly refuses to remove his IT blinkers and acknowledge that - perhaps - there's more to information risk and security management than IT security, that he can't simply ignore the rest or claim/pretend that it's someone else's problem.

His little IT world defines his horizon, and everything beyond the edge is (to him) at once both unseen and scary.

And to be fair to him, I'm just the same. OK, so my blinkers don't say "IT" all over them but it's true I perceive the world in terms of information risks. I can't help it. It's how my brain works. I have something of an idea of what lies beyond that horizon, but nevertheless it's scary because that's not my domain of knowledge, experience and expertise. It's not my home turf. It makes me uncomfortable.

Take 'financial risk' for example. I know a tiny bit about return on investment, exchange rates, stock markets, money markets and so on ... but I'm well out of my depth when it comes to, say, futures and options. I thoroughly enjoyed reading Nick Leeson's book about his shenanigans that brought down the veritable British financial institution of Barings Bank but I freely admit that, despite his patient and eloquent description in the book, I didn't entirely understand the ins-and-outs of his fraud (nor indeed did the bank's managers and auditors, until it was too late!). Although the story sort of made sense at the time, I was struggling to understand and, now, I'd fall in a heap if I tried to recall and explain it.

Arguably there's a difference, though, between me and my rather naive, blinkered colleague on the ISO27k Forum. Specifically, I'm sufficiently self-aware to know my limits. If I wanted/needed to get into, say, financial risk, I'd seek out and rely on someone who's good at that stuff, someone with experience and reputation, probably qualifications too. To be crystal clear, even in outlining 'financial risk' above, I'm taking a punt. The terms are unfamiliar and awkward to me, the concepts vague and ill-defined in my little head, but I recognise and acknowledge that. That's the nub of it ...

... and in so describing the situation, I've yet again demonstrated my own myopic obsession with information risk, plus risk in general. 

I appreciate the information risk associated with the limits of my knowledge and expertise, and I'm willing to address them. That's a product of my world-view.  That I'm even blabbering on about it here is a further clue as to the narrowness of my perspective.

Your Myopia May Vary.