Yesterday I wrote about the laborious process of condensing our comprehensive 300+ page information risk and security glossary to something much more succinct and appropriate for inductees, new to the organization and the topic. So far, the InfoSec 101 glossary is down to just 15 pages but it's not finished yet. I am systematically reconsidering the relevance of each term and, for those destined to remain in the glossary, composing a straightforward explanation that encapsulates the concept in just a few simple words.
Well that's the aim anyway! I balked at describing cryptography, even though I'd quite like everyone to have at least a rough idea of what it is about. Maybe today the inspiration will come.
There's a nice bonus to all this: the terms that made it into the 101 glossary will go into a word-grid and possibly also a crossword if there's time. If people find unfamiliar words in the puzzles, they can look them up in the glossary to find out what they mean ... and it doesn't stop there: the glossary is designed to intrigue as well as inform. Any specialist terms in the explanations are hyperlinked to the corresponding entries, encouraging readers to click and read-on, hopefully browsing the whole thing. We want it to be as sticky as a tar-pit for newbies. In millennia to come, paleontologists will be digging out the bones of Novi operatur, a long-forgotten but remarkably vigilant humanoid species from the 21st Century.
But wait, there's more! We also use word lists to generate word clouds, visual depictions of the topic that again intrigue and inform - this sort of thing:
That's one I created for the 'surveillance' awareness module, an unusual topic that led us through corporate oversight and security monitoring into the realm of spooks and spies. The words on the graphic remind me of our coverage when the module was prepared three years ago - things such as Ed Snowden's revelations about the NSA. For me, at least, visual depictions work amazingly well as memory prompts. I like mind maps for the same reason, using them to analyse, explain and recall the more technical areas, even relatively complex, challenging topics ... hence they often feature in our awareness materials.
Yes yes, I know, it's not all about me! I appreciate that words and pictures, technical content and challenging concepts are not to everyone's taste, so the approach we've taken with NoticeBored was explicitly designed to appeal to 'everyone'. For some people, even InfoSec 101 may be a struggle to understand. At the other end of the scale, some may be bored of the awareness notices or alarmed at our simplifications of deep and meaningful areas they know well. Some may not pay attention unless they are 'shown' stuff or given the chance to experience things for themselves. Some may prefer to figure it out under their own steam. Many will be busy and distracted by other shiny things, especially workers new to the job, being assaulted by induction materials on a host of topics apart from InfoSec 101 ... and I hope our valued customers have seized the opportunity to demonstrate to their colleagues in HR, Health & Safety, IT and other areas that being lectured at by an earnest, well-meaning but essentially overbearing and humourless presenter is perhaps not the best way to greet newcomers. A 3 minute video cartoon, or a 10 minute sermon, or some coercive game may work for some, but not all: diversity is the key, plus the stickiness of a tar-pit (you remember!).
Bottom line: there may be no silver bullet for security awareness but we've been delivering golden shotgun cartridges every month since 2003.