Welcome to NBlog, the NoticeBored blog

I spy with my beady eye ...

Feb 17, 2020

NBlog Feb 18 - neat and tidy

My perfectionist streak flared up with a vengeance today.

First I spent a productive couple of hours checking and revising the content of our generic/model Acceptable Use Policies, intending to include them in the updated InfoSec 101 module for March. 

Aside from reviewing and tinkering with the information content, this also involved standardising the formatting of the AUPs by using the same MS Word template with specific styles for all of them. The AUPs have been updated at various times in various NoticeBored modules and I noticed that, somewhere along the way, I must have changed the bullets and colouring for the 'acceptable use' and 'unacceptable use' points. Evidently I have also meddled with the boilerplate text that tops and tails each AUP, making them slightly inconsistent. To my beady eye, this will not do! 

Unsure how to name the model AUP files, I toyed with the idea of making a single multi-page document containing them all but customers may not want them all.  Instead I settled on a numeric naming scheme.    

As I was doing that, I noticed the document properties also needed standardising. The properties are stored with each document and affect the directory listings. To get to this picture of neatness ...

... I had to fiddle with the Tags and Authors for each of the 8 AUPs. 

The Tags are easy enough to update but changing the Author property is a little awkward: originally, the Author for all the files was "Gary" which, although technically correct, is not helpful for those who don't know it was actually little ol' me. I decided to use my unique email address instead, and soon discovered that updating the Author of both existing and new Word documents involves numerous clicks and typing. It always defaulted to Gary.

"There must be a better way!" I muttered to myself, and started by exploring the properties saved on the info tab of my Word templates - a bit of a mission since the templates are stored under my profile, and updates can't be saved while the templates are open. Instead, I had to follow this 8-step process:
  1. Create a new document using an existing template
  2. Update the template content
  3. Save the updated file as a template (in my default templates directory - I've been here before) with a new name
  4. Close the open file
  5. Navigate to the templates directory in Windows Explorer (made easier using a previously-saved shortcut) 
  6. Delete the original template
  7. Rename the revised template the same as the now deleted original
  8. Open a new document using the updated template to check it out.

Unfortunately, I soon discovered that the Author property on a Word template does not automatically carry forward to new documents created using that template, even though I am the only user of this PC. Instead, MS Office insists on using the "User name" stored in the General tab of my Word Options ...

Nothing as obvious as "Default author" though, oh no. That would be far too easy. Silly me.

So here I am, some two hours after noticing and deciding to fix those little discrepancies, still not entirely sure I've permanently fixed the problems but at least I've vented some of my angst and hopefully helped some of you avoid the same pitfalls.  If in due course I find the updated default Author does not also apply to PowerPoint, Excel and other Office files, I'll gnaw my knuckles rather bore you with another rant.

NBlog Feb 17 - tips on security induction sessions

The InfoSec 101 management presentation is coming along ... but I'll need to rein in my enthusiasm for all things yellow to refocus on the information security essentials: one of the challenges with induction training is keeping it within a tight timescale. 'Speak fast!' is not the answer because the audience probably won't take it all in, given that information security is just one of several important induction topics. It's trial by fire for them.

Some of our customers will have more time for induction training than others, so my cunning plan is to make the 101 presentations flexible. Customers who have the luxury of more time can elaborate on pertinent details and interact more extensively with the inductees. Those short of time may want to skim through or skip some of the slides ... but I hope to encourage them all to make the time to introduce inductees to the information security team. Making that personal link starts the long process of getting to know each other, with benefits on both sides as time goes on. For example, it's easier for workers to email, pick up the phone or drop in on someone they have already met, whether to ask a question, raise an issue or simply say "Hi!". 'Putting faces to names' is, to me, part of 'socialising information security', making it an integral part of the corporate culture. 

On that point, I will be encouraging NB customers to allocate suitable information risk and security pro's to conduct the induction courses, in person. Information Security's 'customer services' or 'help desk' people and experienced trainers are the obvious choices for this job. Furthermore, if the Information Security Manager or CISO or CEO turns up, in person, to say hello and reinforce some point or other (implying a little preparation), that sends a more subtle message about the importance of information security for new workers. It's a powerful technique to cut through the avalanche of information assaulting inductees.

If it is simply not practicable for the relevant InfoSec people to make the time to attend induction courses, other approaches include:

  • Playing a brief 'talking heads' video statement by the ISM, CISO or CEO;
  • A quick live phone call or videoconference appearance by the ISM, CISO or CEO during the session;
  • Showing 'meet the team' biographies - mugshots and a few choice words about the pro's in the InfoSec team (which, in fact, means everyone in the organization, including those currently in the induction session!). 
Another cool idea is to invite inductees to come along to Information Security events and meetings after the induction session - ideally specific, planned events within the next month or two, otherwise any regular or general-access events and meetings ... and in fact that's not a bad idea anyway: these are potentially complementary approaches, not necessarily alternatives.

I have other ideas up my sleeve for making the induction content stickier, more memorable, but that's enough for now. Over to you: what would you suggest?  Comments open! 

Feb 14, 2020

NBlog Feb 14 - this year's InfoSec 101 theme

I've come up with a new theme for the InfoSec 101 presentations this year, driven by a visual metaphor.  As I was picking out general-purpose security-related graphics from our stock for the slide decks, I noticed a preponderance of yellow ... which led me to think about warnings in nature (such as the yellow and black stripes of this wasp) and on the roads (driving hazards), plus the classic Red-Amber-Green traffic lights.

RAG colours are a simple visual cue, well suited to a basic induction or awareness refresher module. The concept gradually forming in my head is that we would like to get to green (as in "Go ahead, get on with the business ... safely") and, wherever possible, avoid the reds ("STOP!  Dangerous!"), so amber ("Caution: hazards") is the path trodden by the security awareness and training program. I have in mind using a few reds and greens to illustrate the range but mostly I think we'll focus on those ambers in the middle ground.  

The core message concerns vigilance, caution and situational awareness. We can't be there all the time, pointing out dangers to our colleagues, so they need to take responsibility for their own well-being - for example, hesitating and thinking twice about clicking those too-good-to-be-true offers sitting in their email inboxes and social media messaging.

We can even have a bit of fun with the roadsigns while we're at it, raise the odd laugh or wry smile maybe. Who says warning notices and awareness sessions should be dull and boring?

Feb 12, 2020

NBlog Feb 12 - terms of art

Yesterday I wrote about the laborious process of condensing our comprehensive 300+ page information risk and security glossary to something much more succinct and appropriate for inductees, new to the organization and the topic. So far, the InfoSec 101 glossary is down to just 15 pages but it's not finished yet. I am systematically reconsidering the relevance of each term and, for those destined to remain in the glossary, composing a straightforward explanation that encapsulates the concept in just a few simple words. 

Well that's the aim anyway! I balked at describing cryptography, even though I'd quite like everyone to have at least a rough idea of what it is about. Maybe today the inspiration will come. 

There's a nice bonus to all this: the terms that made it into the 101 glossary will go into a word-grid and possibly also a crossword if there's time. If people find unfamiliar words in the puzzles, they can look them up in the glossary to find out what they mean ... and it doesn't stop there: the glossary is designed to intrigue as well as inform. Any specialist terms in the explanations are hyperlinked to the corresponding entries, encouraging readers to click and read-on, hopefully browsing the whole thing. We want it to be as sticky as a tar-pit for newbies. In millennia to come, paleontologists will be digging out the bones of Novi operatur, a long-forgotten but remarkably vigilant humanoid species from the 21st Century. 

But wait, there's more! We also use word lists to generate word clouds, visual depictions of the topic that again intrigue and inform - this sort of thing:

That's one I created for the 'surveillance' awareness module, an unusual topic that led us through corporate oversight and security monitoring into the realm of spooks and spies. The words on the graphic remind me of our coverage when the module was prepared three years ago - things such as Ed Snowden's revelations about the NSA. For me, at least, visual depictions work amazingly well as memory prompts. I like mind maps for the same reason, using them to analyse, explain and recall the more technical areas, even relatively complex, challenging topics ... hence they often feature in our awareness materials.

Yes yes, I know, it's not all about me! I appreciate that words and pictures, technical content and challenging concepts are not to everyone's taste, so the approach we've taken with NoticeBored was explicitly designed to appeal to 'everyone'. For some people, even InfoSec 101 may be a struggle to understand. At the other end of the scale, some may be bored of the awareness notices or alarmed at our simplifications of deep and meaningful areas they know well. Some may not pay attention unless they are 'shown' stuff or given the chance to experience things for themselves. Some may prefer to figure it out under their own steam. Many will be busy and distracted by other shiny things, especially workers new to the job, being assaulted by induction materials on a host of topics apart from InfoSec 101 ... and I hope our valued customers have seized the opportunity to demonstrate to their colleagues in HR, Health & Safety, IT and other areas that being lectured at by an earnest, well-meaning but essentially overbearing and humourless presenter is perhaps not the best way to greet newcomers. A 3 minute video cartoon, or a 10 minute sermon, or some coercive game may work for some, but not all: diversity is the key, plus the stickiness of a tar-pit (you remember!).

Bottom line: there may be no silver bullet for security awareness but we've been delivering golden shotgun cartridges every month since 2003. 

Feb 11, 2020

NBlog Feb 11 - InfoSec 101 terms

Our  information risk and security glossary has grown steadily over the years to a document of 100,000 words over 346 pages defining about 3,000 terms. That's easily a book's worth (maybe we should publish it!), and way too much information for the InfoSec 101 module, so I spent yesterday paring it down to a more sensible size. 

The easiest approach was to chop out obscure/specialist terms and their definitions, then go through again to catch the ones I missed. 

Next I set to work trimming down the definitions for the remaining terms, simplifying the wording and removing the quoted extracts from the ISO27k and other standards and references. 

Some terms are context-dependent - they normally mean one thing but can mean something else. For the purposes of the 101 module, I've chopped off the 'something else' explanations.

So now we're down to 11,000 words and 40 pages, defining about 400 terms. Still more than I'd like. The most recent 2017 revision of the 101 module included a glossary of 2,000 words and 10 pages defining about 100 terms. Hmmm, it will be a struggle to get it down that far, but I'll give it a go. 

Time for another few cycles of chopping and trimming ...

Feb 8, 2020

NBlog Feb 8 - InfoSec 101

For March, we're working on our final NoticeBored security awareness module, an update to "InfoSec 101". Unlike the other NoticeBored modules, this covers several information risk and security topics at a basic level. Its main purpose is to provide a gentle introduction, for example in new employee induction or orientation training, or as a launch module for organizations just starting or re-starting their awareness and training programs, bringing everybody quickly up to speed.

So what should it cover? For the general staff audience, I'm thinking:
  • Information risk and security fundamentals, including common terms
  • Policies and procedures, with a touch of compliance
  • User IDs and passwords ... and why they matter
  • Backups
  • Patching
  • Phishing and other social engineering scams
  • Apps and mobile security
  • Ransomware and antivirus
  • Physical security in the office
  • Physical security when on the road or working from home
  • Cloud, Internet, network and system security basics
  • Vigilance: spotting, reacting to and reporting concerns
  • Who's who - putting faces to the names behind information security
For the management audience:
  • Information risk and security management basics e.g. net value of incidents avoided/reduced less the costs of control
  • A little more on compliance e.g. privacy
  • Roles, responsibilities and accountability, with a little on governance
  • Strategies, architecture, plans and big-picture-stuff
  • Insider/outsider threats including fraud
  • Awareness and training, plus motivation and culture, plus 'executive security'
  • Information security in business relationships e.g. with vendors, partners and customers
  • Security metrics, reporting and systematic improvement
  • Business continuity
For the professional audience:
  • Identification and authentication
  • Access controls
  • Logging, alerting and alarms
  • Cryptography fundamentals
  • Cybersecurity vs information security
  • Intellectual property? Copyright at least
That's already quite a lot. It would be easy to overwhelm people with too much all at once, or conversely to bore them stiff with trivial, superficial, condescending material. We need to find ways to help people navigate the content, touching on all the main points and, if they wish, dipping deeper where appropriate. Most importantly, the content needs to be interesting, engaging and relevant - which is another challenge since that depends, in part, on the business context: key awareness messages are bound to differ in emphasis if not content between, say, a tech company, a bank or a charity. That suggests an initial activity for the person or team receiving and thinking about how to use the awareness module ... figuring out what are the essentials, the things that everyone needs to know?

Feb 5, 2020

NBlog Feb 5 - YMMV

Once more today I find myself drawn into an interminable discussion over on the ISO27k Forum.

This time around, it's with a member who (as I see it) steadfastly refuses to remove his IT blinkers and acknowledge that - perhaps - there's more to information risk and security management than IT security, that he can't simply ignore the rest or claim/pretend that it's someone else's problem.

His little IT world defines his horizon, and everything beyond the edge is (to him) at once both unseen and scary.

And to be fair to him, I'm just the same. OK, so my blinkers don't say "IT" all over them but it's true I perceive the world in terms of information risks. I can't help it. It's how my brain works. I have something of an idea of what lies beyond that horizon, but nevertheless it's scary because that's not my domain of knowledge, experience and expertise. It's not my home turf. It makes me uncomfortable.

Take 'financial risk' for example. I know a tiny bit about return on investment, exchange rates, stock markets, money markets and so on ... but I'm well out of my depth when it comes to, say, futures and options. I thoroughly enjoyed reading Nick Leeson's book about his shenanigans that brought down the veritable British financial institution of Barings Bank but I freely admit that, despite his patient and eloquent description in the book, I didn't entirely understand the ins-and-outs of his fraud (nor indeed did the bank's managers and auditors, until it was too late!). Although the story sort of made sense at the time, I was struggling to understand and, now, I'd fall in a heap if I tried to recall and explain it.

Arguably there's a difference, though, between me and my rather naive, blinkered colleague on the ISO27k Forum. Specifically, I'm sufficiently self-aware to know my limits. If I wanted/needed to get into, say, financial risk, I'd seek out and rely on someone who's good at that stuff, someone with experience and reputation, probably qualifications too. To be crystal clear, even in outlining 'financial risk' above, I'm taking a punt. The terms are unfamiliar and awkward to me, the concepts vague and ill-defined in my little head, but I recognise and acknowledge that. That's the nub of it ...

... and in so describing the situation, I've yet again demonstrated my own myopic obsession with information risk, plus risk in general. 

I appreciate the information risk associated with the limits of my knowledge and expertise, and I'm willing to address them. That's a product of my world-view.  That I'm even blabbering on about it here is a further clue as to the narrowness of my perspective.

Your Myopia May Vary.