NoticeBored

NBlog July 25 - glossary as an awareness tool

NoticeBored - 16 hours 34 min ago
By coincidence, two of the professional groups/discussion forums I frequent have both been discussing terminology today.

It takes a particular personality type to enjoy discussing terminology, in depth. It requires both tight focus and a broad appreciation of the field. It helps to be well-read, since terms and concepts generally emerge from study or research that may be obscure. It helps also to be open-minded, since terminology is one of those things that fires-up experienced and knowledgeable colleagues: the passion is almost palpable! I'm not at all worried about being "put straight" by respected gray-beards - we all give as good as we get, part of the cut-n-thrust of professional discussion.

Some might consider us anally-retentive. 

On the other hand, the information content of language is critically dependent on the meanings, interpretations and implications of the words we use. In relatively new and complex areas such as information security, misunderstandings and confusion stemming from limited or inappropriate vocabulary can be inconsequential, mildly annoying or problematic, depending on the context. On top of that, language evolves naturally as a consequence of how it is used in social intercourse. There is plenty of wiggle-room. 

Anyway, today we've been discussing the meaning of about a dozen core terms of art in the field of information risk and security. Although I don't intend to expand on the definitions and discussion here, it's a chance to raise a more general point about awareness and training.

Explaining terminology is an important part of any decent awareness program or training course. It helps set the scene for both the audience and the authors/presenters/trainers. It differentiates relatively superficial from more in-depth approaches - the former gloss over the details anyway.

We maintain an extensive information security glossary, updating and re-issuing it every month in the course of developing each batch of awareness content. Any specialist terms used in the definitions are hyperlinked to their own definitions, making it interesting (fun even!) to follow one's nose from term to term, hopefully discovering and learning new stuff along the way. It reminds me of the joys of browsing dictionaries, encyclopedias and most of all Roger's Thesaurus when I was young (yes, a long, long time ago, pre-Google, when we thumbed through reference books made of a substance known as paper).

At the same time, I'm not a professional lexicographer. The glossary is a valuable working tool, not a formal academic treatise. We quote numerous "official" definitions from various "official" sources such as ISO/IEC 27000, but in most cases we add our own pragmatic definitions - particularly when the formal ones are too obscure, narrow or plain misleading for our purposes.

Here's a tiny extract to demonstrate its style:



I added "Actuary" today, in connection with August's awareness topic, cyberinsurance. Along with other terms relevant to cyberinsurance, it is picked out in red. In the definition, "data" and "risk" are underlined hyperlinks to their respective definitions ("risk" is pink because I've followed that hyperlink to check and update the definition, following today's exchange on the forums). 

Some of the definitions (such as that one for activist) are a little tongue-in-cheek because they amuse me, and hopefully those little nuggets of humor spur-on the intrepid reader who has the interest and the stomach to browse an information security glossary. Our aim in awareness is not just to educate or inform, but to entertain and engage - a delicate balance. 

The whole thing is now a little over 300 A4-pages, defining over 2,000 terms with over 80,000 words in total, and still growing by a page or two most months.  If you'd like a copy, we've published it as Kindle eBook on Amazon for less than $10 ... or you'll get it for free as an MS Word document with monthly updates by subscribing to NoticeBored.

Categories: NoticeBored

NBlog July 22 - ISO27k for GDPR

NoticeBored - Fri, 07/21/2017 - 9:14pm
Someone just reminded me that nearly a year ago I wrote a document mapping the EU General Data Protection Regulation requirements to an ISO27k Information Security Management System.
The idea is to demonstrate how the ISMS satisfies most of the GDPR requirements, within an overarching governance framework that has other benefits (since it covers more than just privacy).  
If you find yourself in a bit of a pickle right now, under pressure from management to "do GDPR, and quick!", the mapping document helps by laying out and explaining the requirements. Even if you don't have an ISO27k ISMS at present, and have no immediate intention of implementing one, the structure is well worth considering. Turn GDPR from a challenge into an opportunity!
Download the mapping as an MS Word document here, or as an Adobe Acrobat PDF here.
The mapping was released as part of the free ISO27k Toolkit and is covered by a Creative Commons license, so feel free to share the links with your peers.
Regards, Gary (Gary@isect.com)
Categories: NoticeBored

NBlog July 21 - Global Risk Management Survey

NoticeBored - Thu, 07/20/2017 - 5:30pm
Yesterday I blogged about various information sources that keep me abreast of the field. 
Right on cue, here's an excellent example: a shiny nugget I found on the Web today, following my nose from a Google search through several other references and links.
Aon's latest Global Risk Management Survey reports on an online survey completed by business people from 1,843 organizations globally at the end of 2016. 
According to the 2017 report, the top 10 risks of most concern to management are:
  1. Damage to reputation/brand 
  2. Economic slowdown/slow recovery 
  3. Increasing competition 
  4. Regulatory/legislative changes
  5. Cyber crime/hacking/viruses/malicious codes 
  6. Failure to innovate/meet customer needs 
  7. Failure to attract or retain top talent 
  8. Business interruption 
  9. Political risk/uncertainties 
  10. Third party liability (inc. E&O)

I've highlighted #5 - cyber risks - because they are so obviously relevant to information security awareness.
Aparently, cyber risks were ranked #1 by respondents from the aviation, education and government sectors. Why might that be?
  • The aviation industry is extremely safety-conscious, so I guess they are concerned at the possibility of cyber incidents leading to injuries and deaths, for example through cyber-terrorism. On top of that, fly-by-wire planes are critically dependent on their on-board IT systems so system design flaws, bugs, configuration and operator (especially pilot!) errors can be lethal. The dreaded blue screen of death could be literal. 
  • Governments, meanwhile, must deal with sophisticated and well-resourced cyber-attacks by other nation states, while doing their best to protect critical national infrastructures and economies. They also need to address terrorists and criminals, as well as tax-evaders, fraudsters and so on. As they become increasingly computerized, governments are inevitably more exposed to cyber threats.
  • I don't really know why the education sector is so worried about cyber risk, except perhaps the fact that kids today are more cyber-savvy than all previous generations, including the teachers and administrators trying to educate them. Hmmm, not sure about that.  [Thoughts, anyone?]
I am surprised the finance industry is more worried about other risks, but then they have to deal with global economics, politics and regulation, so maybe cyber risks are just another challenge!
"Cyber threat has now joined a long roster of traditional causes—such as fire, flood and strikes—that can trigger business interruptions because cyber attacks cause electric outages, shut down assembly lines, block customers from placing orders, and break the equipment that companies rely on to run their businesses. This explains the dramatic rise in ranking, from number nine in 2016 to number five this year. For survey participants who are risk managers, they have voted it a number two risk, probably because cyber breaches are becoming more regulated, with many companies in the U.S. and Europe facing mandatory disclosure obligations. Similar requirements are being introduced in Europe and elsewhere. As a result, cyber concerns will continue to dominate the risk chart ... About 33 percent of surveyed companies are now purchasing cyber[insurance] coverage, up from 21 percent in the previous survey."Regards, Gary (Gary@isect.com)
Categories: NoticeBored

NBlog July 20 - navigating the World Wide Warren

NoticeBored - Wed, 07/19/2017 - 7:30pm
A while back, this blog made it onto Feedspot's top 100 infosec blogs. Today, I finally got around to displaying our medal. Thanks Feedspot. I'm honored to be listed among such awesome company! 
A couple of times lately, I've been asked how I manage to keep up with the field for our security awareness and consultancy services. Good question! 
Blogs are an excellent source of information and inspiration. I track a bunch of blogs routinely through Blogger - roughly 40 on my reading list at the moment although some of those are in fact feeds aggregating or streaming an unknown number of individual blogs, and some relate to my hobbies and interests outside infosec. Yes, I have a life! The trick with blogs is to find and track the more creative bloggers who consistently generate good stuff, discarding those who only ever re-post other people's efforts, adding little if any value. [Yes, there are blogs in Feedspot's top-100 that I ought to be following: systematically checking them out and adding the best to my reading list is another task on my to-do list.]
I browse a few favourite magazine sites from time to time, such as The Register. Well-connected journalists come up with interesting stories. I most enjoy articles that take different angles and scratch below the surface, pulling together facts and opinions from various sources that I would otherwise have missed. [A decade or more ago, magazines and newspapers were also good for actual news, but these days social media outpace them most of the time.]
Talking of gossip, I enjoy being part of various online discussion forums and professional/industry groups. Mostly it's a slog, though, with the vast majority of participants contributing nothing at all - it's just take take take for them. Aside from the few who actively post and discuss stuff, the rest somehow seem to suck the life out with their deafening silence. 
Google+ occasionally puts me onto something new - well not so much Google+ itself as the extended family of friends and colleagues who post stuff there. Again, it's a shame more infosec pros aren't actively using Google+ routinely. Not quite enough to reach critical mass as yet, although I should put more effort into searching out more bright sparks. [My to-do list grew again.]
Linkedin is another occasional source, specifically a handful of infosec-related groups and postings by my connections. However, the deluge of marketing tripe is a serious problem - far too many 'social media marketing experts' putting the din in Linkedin. The abysmally low signal-to-noise ratio means a lot of wasted time, distractions and annoyances. I blame the apparent lack of moderation, coupled with a preponderance of vacuous advertisements spewing forth in the guise of news, like so many home-shopping channels on speed.
Personally I'm not into Twitter, Facebook and the like. I just don't have the time for such trivia.
Google rocks! The search engine is awesome, albeit a little annoying and inconsistent at times. The intense focus on whichever web pages make it to the top of the search results is a concern since there are bound to be more innovative nuggets buried further down the list. Perhaps Google ought to give us the option promote a few matching sites at random into the search results we see? Meanwhile, I make good use of the search options and syntax to dig out what's new. [Blogger is a Google service so this very blog would be off-the-air without Google.]
Lastly of course, there's the World Wide Web, without which we'd still be stuck in the Dark Ages. All those blogs, groups, journalistic pieces and search results are basically just pointers to the gold, not the gold itself. Original research papers, surveys and articles are how I really find out about infosec. Industry journals such as ISSA and ISACA's Journals often publish meaty, worthwhile, peer-reviewed content with traditional references to their sources ... leading me down deep dark rabbit warrens that I first learnt to navigate when doing my PhD way back in the 80's. 
So that's how I keep up with the state of the art. Almost anyone can do it: all it takes is about 12 hours of intense concentration per day, a lifetime's interest in scientific research ... and a million rabbits.
Categories: NoticeBored

NBlog July 19 - drawing order from chaos

NoticeBored - Wed, 07/19/2017 - 2:47am
We're plugging steadily away on August's awareness module on cyberinsurance, with nothing much to report today ... but I will just mention the word cloud.
The clutter represents (figuratively) how cyberinsurance words appear to people who hear or read - but don't really understand - them. 
Words that are relatively commonplace or more relevant to the topic are emphasized in a larger font size to stand out from the remainder but other than that it's obviously a jumble. 
Helping people make sense of the topic is a general aim of awareness materials and programs of all kinds. We bring out structures and relationships within the topic area, and between this and other topics, forming a mesh or framework to aide understanding.
As well as being a useful illustration for the module, the word cloud reminds us to be clear as we prepare the materials, taking our varied audiences into account. The complexity varies both from topic-to-topic and within any one topic area: a signficant part of our job is to simplify and explain, ideally without just glossing over or ignoring those complexities. We can reasonably expect the more experienced professionals in our audience, for example, to be more willing to tackle and grasp the details than workers in general. They have different backgrounds and needs. Awareness programs that only provide superficial information offer little value, while expensive, in-depth training courses are only appropriate for specialists ... leaving a void in the middle ground that we are filling.
As well as the word clouds, the mind maps, diagrams, poster images and other graphics, plus the written or spoken words, build a picture that makes sense.
In short, we're drawing order from chaos.
Regards, Gary (Gary@isect.com)
Categories: NoticeBored

NBlog July 18 - awareness + training = learning

NoticeBored - Mon, 07/17/2017 - 8:59pm
"The Trouble if Security Awareness Training Is Mainly a Penalty" is a well-written piece by Dan Lohrmann on the Government Technology website, expanding on several points relating to personal motivation and corporate culture."I believe transforming the security culture still remains our greatest challenge as we head toward 2020. But how can we get to this elusive “culture of security” while balancing the cost, benefits and many other business priorities we face? As we think about people, processes and technology, what can we do to enable people and reduce risk over time?"One of the concepts or approaches Dan discusses is 'just in time training', a buzzword which implies doing away with general awareness activities in favor of something more focused on the specific needs of individuals. I believe that is known as 'training' (!) which certainly has value ... but still I maintain that awareness and training are complementary approaches - neither the same thing (despite widespread use of the misleading term "awareness training"), nor alternatives. Both training and awareness are valuable.
Let me explain with a familiar example. 
Most of us learn to drive through training - normally intensive, one-on-one guidance by an experienced, competent and qualified driver trainer, someone who coaches and leads us through the process of acquiring the knowledge, skills and capabilities necessary to pass the driving test. 
Driver training is expensive in terms of the fees plus the time and focus required. You can't really learn to drive without giving it your full attention. In the early stages, the manual coordination required to get the vehicle moving in roughly the right direction, and to stop when required, is mentally challenging and physically tiring. Later on as our competence increases, we become more relaxed ... unless/until something unfamiliar happens (such as someone turning across our path) when the instructor's dual-controls come to the rescue! 
Training has a specific goal - passing the test - plus broader objectives such as safety. Learning the 'rules of the road' is a particular aim, covering relevant laws (such as staying within the speed limits) that are likely to affect the outcome of the driving test. 
Most of us learn about road safety through a more general, informal style of learning, closer to awareness. We may be explicitly taught specific skills such as crossing the road safely at marked crossings, but mostly we learn to be safe on the roads in a gradual, life-long experiential process - we experience and figure out how to deal with hazardous situations at first hand. Even if the speed limit is 50, we discover that rain, snow and ice materially affect changes of direction or speed, hence the safe speed may be much less than 50. Hazardous road junctions, kids playing and (other!) unrestrained animals may have been pointed out by our instructor, mentioned in official guidelines, even brought up by TV advertisements ... but facing actual incidents, for real, really brings the warnings home at a more emotional than intellectual level. We literally gaps and shake.
That describes a conventional approach, although of course there are variations - advanced driver training, for instance, and self-training. I doubt anyone would seriously suggest doing away with training or awareness: they complement and support each other.
Finally, if you're not already confused enough, in everyday language 'training' often refers to fitness training, specifically. People get physically fit by exercising. In a broader sense, exercises are an excellent way to learn things by going through the motions, practicing behaviors in a deliberate, conscious way in the hope they will become automatic even when we are in a panic. Fire evacuation, penetration tests, case studies and business continuity tests are all exercises: whether you think of them as training or awareness is moot. Either way, we know they work. They have their place. 
Regards,Gary (Gary@isect.com)
Categories: NoticeBored

NBlog July 17 - cyberinsurance metrics

NoticeBored - Sun, 07/16/2017 - 10:05pm
To illustrate the need for cyberinsurance, we'll be using commonplace IT incidents that are easy to explain in August's awareness materials, being familiar to or readily understood by the target audiences.
People who don't already know much about insurance may be surprised to learn that such incidents are not covered by traditional policies - at least not for certain, and not in full.  So that's something they will learn.  They will also learn that cyberinsurance is available, and (if properly specified) would cover those same incidents. Probably, and again not in full - another learning point.
So aside from simply learning stuff, what if anything are people supposed to do differently if August's security awareness effort is effective? To answer that requires us to figure out what behavioral changes might be expected to occur in the organization.
One way to think this through is to identify activities that should ideally start or increase, or should decrease or stop, such as:
  • Cyberinsurance-related awareness activities should of course increase, for example more visits to the intranet pages on this topic, awareness materials being downloaded, people attending seminars etc.;
  • Workers in general ought to be thinking and hopefully chatting about cyberinsurance:
    • It should feature on relevant agendas e.g. in information risk and security management meetings, and perhaps board or exec team meetings;
    • Managers and professionals should start thinking of cyberinsurance as a commercially viable way to treat cyber risks, for instance including it explicitly as an option to consider in related policies, pprocedures, guidelines and checklists;
    • Cyberinsurance terms should crop up more often in various internal communications (aside from the awareness materials, that is), such as emails, memos, reports and casual conversation;
  • Someone should start digging out and checking through the fine print of existing insurance policies, and if appropriate procuring, negotiating or renegotiating cyberinsurance cover;
    • There should be an increase in the associated procurement and insurance activities;
    • Studies, reviews and audits may be conducted in this area;
    • There will probably be demonstrable management decisions in this area e.g. approval to (re)negotiate cyberinsurance and spend money;
    • There may be budgetary impacts if cyberinsurance is increased and/or conventional insurance is pared-back; 
  • There should probably be a reduction in the level of residual information risk that is accepted by the organization, as other forms of risk treatment (not just cyberinsurance) increase;
  • People should stop naively thinking of insurance as a catch-all solution to all their cyber problems.
Anything that can be observed to change can be measured, hence our analysis is a basis for identifying possible information security metrics in this area. It supports the GQM approach through which one identifies business Goals, poses Questions arising, then comes up with Metrics that would help answer the questions and so fulfill the goals. 
Despite cyberinsurance being such an unusual and arguably esoteric topic, this amply demonstrates the nature and depth of analysis required to come up with valuable security metrics in general - all of which is fueled by effective security awareness. 
Regards, Gary (Gary@isect.com)
Categories: NoticeBored

NBlog July 14 - the infosec pitch

NoticeBored - Fri, 07/14/2017 - 2:03am
A couple of days back I blogged about being more concise and focused in my writing. Today, with that in mind, I wrote the 'elevator pitch' on cyberinsurance. The whole point of the pitch is to get straight down to business so normally we manage to squeeze the key awareness message/s into about 150 words. 
This month's pitch is just over 100 words (700 characters) and I'm wondering how far we could squeeze it if we really tried. It is feasible to sum up, say, cyberinsurance in a single tweet?
Well, yes, I'm sure we could concoct a message of less than 141 characters ... but why? Are people honestly so snowed-under with information that they can only spare us a few brief seconds? 
Advertisers face the same issue, hence those lame tag lines we see/hear so often (in NZ anyway) tacked on the end of the ads - things like "The real thing" and "I'm lovin' it". They've reduced the message to the point that virtually all meaning is lost. They have become symbolic rather than literal. The primary purpose is not to express anything so much as to trigger brand recognition. I bet you know which products those tag lines are associated with, right? Ker-ching!
Advertising is different to security awareness, although we have a fair bit in common. We can't rely on monotonous, ad nauseam repetition of our awareness content - or can we? Actually, we can, but at a deeper level than commercials. Beneath the superficial layers, we are constantly circling around and refreshing core messages about information risk, security, privacy, governance, responsibility and so forth, important concepts and principles underpinning all that we do. In a sense, the rest is just fluff to fill the screen.
As to tweeting, Donald Trump is kindly conducting a live experiment for us right now. He's certainly getting plenty of coverage: his tweets generate a surprising number of column-inches, although a lot of the reporting and commentary seems distinctly cynical or sarcastic. Is it meaningful communication? I'm unconvinced.
Categories: NoticeBored

NBlog July 13 - building on awareness foundations

NoticeBored - Wed, 07/12/2017 - 9:59pm
Cyberinsurance is one way to treat some cyber risks. Which ones?
That disarmingly simple question has taken next month's management seminar down a couple of interesting avenues.  
The first concerns the nature of cyber risks that one might reasonably expect to fall within the remit of cyberinsurance. Most don't. Insurers are particular about the kinds of risks they accept, actively managing their own risks and businesses.
Second is the distinction between insurance customers' 'reasonable expectations' and the reality of how policy terms and conditions are actually interpreted by the insurance companies and industry, the legal profession including the courts, and the regulators. 
We can explain the first issue quite easily using the PIGs (Probability Impact Graphs) that we provide in the awareness materials most months. Thanks to repeated prior exposure, we don't need to explain the PIG graphic to the audience laboriously, from first principles: we can leap directly into discussing distinct areas or groups of risks on the PIG. In other words, we are building upon the foundations of information risk and security awareness laid down in previous months, making reasonable assumptions about the audience's knowledge and understanding of the underlying concepts and taking them up a level. 
That's cool! It applies very broadly, not just in this specific case. A security-aware workforce starts at or above the ground floor in knowledge terms, not down in some cold, dark, damp and smelly basement.
Regards, Gary (Gary@isect.com)
Categories: NoticeBored

Mid-winter sale

NoticeBored - Wed, 07/12/2017 - 3:34am

It’s f-f-f-f-freezing down here in New Zealand, so we’re spreading a little warmth.  
If you're quick, your first year’s subscription to the NoticeBored security awareness service will be  US$1,200.  Yes, just 100 USD per month, regardless of the size of your organization,  for the very best security awareness content available.
We’ll even throw in the usual welcome gifts (the policy suite and Infosec 101 module) for free.  
This is a very special price, available to the first 50 new customers only ... so don’t delay, get in touch straight away.
To take advantage of this offer, simply mention “nuts off” in your inquiry.
If $100 is still too much for you, send us your sob story.  Persuade us that security awareness is not even worth $100 per month to you.  
Go ahead, make my day.  Seriously.
Gary  Gary@isect.com 
Categories: NoticeBored

NBlog July 11 - on strike

NoticeBored - Mon, 07/10/2017 - 9:49pm
At the weekend I drafted an article, circulated a link to the draft and invited feedback from a bunch of friends in one of the groups I belong to. We had been chatting quite animatedly about something of interest to the group for a good week or more, so I tried to capture the essence of the discussion, doing my best to reflect all perspectives and express the central points.
Normally when I write stuff (such as this very blog) and circulate it asking for comment, I get next to no response. Often nothing at all. Nil. Nada. Zip. As if nobody even saw it, let alone had anything to say. 
[... cue tumbleweed blowing through Gulch Creek to whistling wind ...] 

This time, the exact opposite - loads of responses and plenty of interaction, almost too much in fact!
At first I put it down to the fact that a couple of outspoken friends were a little upset at some of the things I wrote in the draft which, admittedly, were a bit edgy, contentious you could say but not intentionally inflammatory. Anyway, they were evidently goaded into responding quite sharply, making their feelings clear to all. My article had lit the blue touchpaper. 
So, I thought, perhaps my writing should be more contentious in general, if that's what it takes to fire up a response?
At the same time, however, several others responded in support of what I had written, with a few improvement suggestions and other comments. There followed a couple of days of to-and-fro as we kicked things around on email, while I revised the document to knock off the most pointed bits and incorporate various suggested changes. We all pulled together and the article benefited as a consequence.
That made me think about passion: everyone who had expressed an opinion was passionate about the topic, as is the group as a whole. Some were fairly emotional in their responses while most simply wanted to explain their points, dispassionately arguing for various changes, including counter-points to the two who were upset. 
A few told me the incomplete, rough draft was so inspirational that they are already circulating it! What an ego-boost!
On reflection, the group members' passion for the topic is probably what sparked such as dynamic exchange, rather than contention ... or perhaps it was both, or something else entirely such as the typos in the orignal? I'm not sure. 
What is clear to me, though, is that I need to make changes to how I write stuff, or what I write about, if I want to get any kind of response from the audience. It feels like I'm battling enormous intertia out there (yes, that's YOU!) and/or my stuff is being lost in the noise. We have so many streams of information coming at us from all directions, a veritable tsunami, that we can't possibly deal with it all so inevitably we are force to prioritize. The rest is consumed and disappears.
So now I'm looking for clues about how to raise the priority of information security, how to strike the spark that ignites the same level of passion that drives me to write this stuff in the first place. 
Although this may be a philosophical muse, it is directly relevant to security awareness. If our awareness content is lost in the noise, we might as well not bother. You could even argue that we're adding to the tsunami - part of the problem rather than the solution. 
Hmmm. Could I have expressed all this in a sentence, a tweet perhaps, a few millipictures?
Don't bother commenting on this blog. I know you've got more important things to do. Don't worry about me, I'm fine. No, really, I'll cope. Move along, nothing to see here. Next.
Regards, Gary (Gary@isect.com)
Categories: NoticeBored

NBlog July 7 - peering through the mist

NoticeBored - Fri, 07/07/2017 - 5:15pm
We've started working on August's NoticeBored module, covering cyberinsurance - a new security awareness topic.
As with all cyber-things, our first task is to define what we mean - easier said than done, given that cyberinsurance is a neologism, a newly-coined term that means different things to different people and organizations (not least the insurers!). It is often used informally without much effort to clarify the meaning, or in distinctly biased and narrow terms by insurance companies promoting their particular products - smoke and mirrors maybe.
For the module, we'll explain cyberinsurance in the business context of commercial insurance ... which means we also need to describe the various forms of commercial insurance, so I've been exploring the web to find out more about that. It's quite confusing so one of our tasks this month is to simplify and structure things for the awareness audiences.
It looks as if management will be the primary audience for this topic. Some managers may already know about cyberinsurance and have it in place, but I suspect it will be new to most. There are strategic, policy, risk management, governance and compliance aspects to draw out, as well as the commercial side and more practical angles (such as the possibility to draw on insurers' expertise for assistance in times of cyber-crisis).
For professionals, aside from describing what cybersecurity is about, we will probably discuss the need to put other controls in place to reduce the probability and impact of cyber incidents, taking care to fulfill obligations stated or implied by the policies in order to treat the risk of cyberinsurers refusing to pay claims in full. We'll make the point that those things ought to be done anyway and should not be perceived as a burden imposed by the insurance.
For the general employee stream, as well as outlining commercial cyberinsurance, we can describe those forms of cyberinsurance aimed at individuals and families. Taking it back to basics, we might also need to explain the concept of insurance as a whole, in terms likely to resonate with the audience.
So, as you see, the scope and purpose of the module is emerging from the mist and should become crystal clear in the next week or so. 
Regards, Gary (Gary@isect.com)
Categories: NoticeBored

NBlog July 4 - how many topics does your awareness program cover?

NoticeBored - Tue, 07/04/2017 - 2:48am
A piece on LinkeDin set me thinking this morning - actually several pieces did but I shall spare you my cynicism, other than to say that the unbelievable din of superficial marketing tripe, me-me self-promotion and sycophantic back-slapping on LinkeDin all but drowns out the few grains of useful content. 
But I digress.

Bucking the trend, IT Security Basics: A Basic IT Security Awareness Program for Your Employees by Marc Krisjanous does what it says on the tin, laying out the bare bones of a basic approach to IT security awareness aimed at 'employees' (in other words staff, users, the hoi palloi). Do have a read: Marc has some good ideas in there, a step or two up from the most naive approach that is a common starting point for awareness. 
On the other hand, and with all due respect to Marc, it falls short of good practice ... which thought made me mull over the lifecycle, the stages through which awareness programs typically develop, in other words another maturity scale.
-------------------------[Before continuing, please take a moment to do something for me. Work out roughly how many topics your security awareness program has covered to date. I'm not talking about the scope, all those little things merit the odd mention here and there, but rather the specific focal points or issues that the awareness program, materials and activities focus on in some depth. Go ahead, check your list and tot 'em up. I'll explain why at the end of this piece.]-------------------------
OK, bring on the maturity scale ...
Stage 0 - nothing: there are no security awareness activities whatsoever. That implies several things:
  • Negligible security awareness among employees in general, most being totally oblivious while a few may vaguely hope or believe that someone else 'does' security, whatever that means;
  • No interest in security awareness by management, presumably including the information/IT security people themselves (if there are any);
  • No roles and responsibilities in this area, and zero accountability. When (not if) incidents occur, the organization collectively takes the hit, and nobody feels compelled to do anything about it. Fingers point from each to the other;
  • An unnecessarily high level of information risk, hence those incidents I mentioned are likely to be both more numerous and more severe than they need be. Worse still, they come as nasty surprises, out of the blue, despite the possibility being glaringly obvious to any interested, security-aware onlookers (ransomware incidents being a highly topical example).
Stage 1 - starter: at this level, there are some awareness activities but they aren't really planned or managed as such - rather they are one-off or sporadic episodes, with no defined purpose or goal both individually and overall. The topics tend to be a more or less random selection, perhaps picking up on major incidents (such as ransomware) in a reactive way, arguably too late to achieve much benefit from awareness. The awareness materials are basic, to say the least - perhaps a lame poster lifted from the web (quite possibly infringing someone's copyright, since the lack of awareness may extend to the people 'doing' awareness). Stage 1 starter-level security awareness may be better than nothing, but only just!
Stage 2 - basic program: a program involves planning and management of the security awareness activities. Someone cares enough about it to determine what ought to be done and hopefully how and when to do it. However, the basic awareness program is typically run on a shoestring, either totally unfunded or seriously under-funded. There is little management interest or support, except perhaps the desire to do the least amount possible to satisfy compliance obligations (implying management's awareness of those obligations, at least). There's no real appreciation of the value of security awareness, a blind-spot that often extends to IT/cyber and information security in general. Due to the lack of funds, stage 2 programs are necessarily limited in scope and reach, for example targeting "users" (meaning certain IT users) with barely enough content to be worth distributing. This is paying lip-service, although management of stage 2 organizations may be aghast at being so labeled, due to their own lack of awareness.
Stage 3 - funded program: funding may indicate that management truly believes in the value of security awareness, but could also reflect a need to spend some spare cash, compliance pressure from the authorities, or drive from within (either individual leaders or departments such IT, Risk, Legal, Privacy, Audit or of course IT/Information Security). We see the first inkling of accountability at this level, management realizing that if the organization suffers serious incidents, the lack of an awareness program points directly to their lack of governance. However, the awareness program itself may be little more than the stage 2 version, with limited topics, restricted audiences and narrow goals (perhaps still undefined). A minimalist approach is common, limited to external (legal and regulatory) and perhaps internal (policy) compliance. 
Stage 4 - organization-wide program: extending the reach of the security awareness program to take in the entire organization takes things up a notch. It may not be immediately obvious but this seemingly innocuous extension, to me, marks a dramatic change of emphasis from IT/cybersecurity to information risk and security as a whole. A lowly office cleaner, for instance, has important information security responsibilities, even though he/she is unlikely to use corporate IT (except perhaps taking advantage of the guest WiFI to catch up with Facebook on a cheap smartphone during breaks!).  That's true even if he/she is a cleaning contractor employed by a service company, not actually an employee of the organization running the program. [This is why the NoticeBored security awareness materials refer to "workers" rather than "employees": we hope subscribers won't discriminate against third party maintenance people, contractors, consultants etc. working for the organization on-site.]  A nice refinement here is to identify distinct awareness audiences or groups within the organization, developing awareness content and activities specifically designed to appeal to and help them, supplementing the more generic stuff aimed at workers (not just [IT] users, remember!) in general.
Stage 5 - psychology: security awareness and training is adult education in the corporate context. As such, the science behind education is relevant and applicable, particularly the behavioral sciences within biology, including psychology. Appreciating the distinction between 'enforcement' and 'reinforcement', for instance, crucially divides awareness programs that are perceived negatively by their audiences from those that are positive. The typical compliance-based approach essentially involves warning workers about the dire consequences of non-compliance - the personal and organizational penalties arising. Emphasizing the business and personal benefits of addressing information risks through appropriate security controls takes the discussion to a different place, particularly for management. Organizations at stage 5 truly appreciate the need for motivation as well as information, and so take steps to motivate and encourage.  
Stage 6 - training and awareness system: large, mature organizations often have specialized training functions within or allied to HR. Their purpose is to assist with, if not actually deliver, training courses throughout the organization on a range of subjects and levels e.g. induction or orientation courses for new starters, compliance-driven courses, technical and skills-based training, and supervisory/management training. Learning Management Systems often come into play at this stage, opening the door for third party suppliers of training content. The systematic approach to awareness is another, more subtle element of stage 6. Although they usually focus on intensive training courses, specifically, the professionals in training functions often have the background and skills to assist with awareness activities as well, if only they have the time and inclination. They also have more than just a clue about good practice ...
Stage 7 - good practice: there is a diffuse set of characteristics defining or demonstrating good practises in security awareness, including:
  • Professionalization - by which I mean employing or promoting competent, experienced and talented security awareness and training professionals (ideally close-knit teams, not just lone individuals), giving them the latitude and support to both do stuff right and do the right stuff. Career progression is important for these people like all others, hence skills enhancement courses, projects and other personal development opportunities are worthwhile for the kinds of people who excel in these roles, and just as valuable as more money (within reason!); 
  • Interaction between information security or other specialists and the audiences, particularly in-person presentations, seminars, courses, workshops, demonstrations and so on, supplementing the typically rather dry, drab and lifeless written content. A suite of social skills is needed here, such as empathy ... which can be distinctly challenging for information security awareness people with classic IT/tech backgrounds and other personality types. Having said that, I'm relieved to note that the skills and competencies can be learnt and are certainly enhanced through practice;
  • Collaboration among and between specialists in different areas of expertise on shared awareness-related goals (e.g. health and safety plus site/physical security plus information security);
  • Standardization - both in the sense of turning the organization of awareness events and the production of awareness materials into repeatable and improvable sausage-machine operations, and by adopting the good practice advice in globally-respected standards such as ISO/IEC 27002 and NIST SP800-50;
  • Meaningful metrics - measuring the things that truly matter to the organization in achieving its goals, as a way to enable, direct, drive and demonstrate progress, value, effectiveness, efficiency, maturity etc. If your idea of a good security awareness metric is to graph the number of people who have attended your events, you have quite a journey ahead! Metrics turn standardization into continuous improvement;
  • Creativity and innovation - catching the eyes and imaginations of the audience groups naturally helps engage them fully with the program. There are further advantages to being creative and innovative with the content, the formats, the modes of delivery and so on, not least the topics. Given the time taken to prepare and deliver awareness, and for the audiences to absorb and react to it, your awareness topics ought to reflect not just present but future threats and information risks to the organization. Good luck even figuring those out far in advance, let alone preparing sensible content - and I should know: this is a substantial part of my role; 
  • High quality materials delivering both breadth and depth. As well as covering fewer topic areas, immature awareness programs tend to be quite superficial in their coverage. Some topics deserve, and some audiences need, more in-depth content, but at the same time it's easy to confuddle the general awareness audience, requiring a finesse to both the awareness messages and the awareness content.
Stage 8 - best practice: going beyond mere good practice, these are the award-winning awareness programs, figuratively if not literally. Best practice programs are outstanding in the field, highly effective and, in short, a roaring success. Their excellence is generally acknowledged by insiders (staff, managers and related third parties) and sometimes by outsiders ... although organizations at this level tend to be in intensely competitive industries and/or in national security, government and defense, they tend to be quite discreet about it. Discretion is part of security awareness, after all!  [Note: awards that can be bought rather than earned don't count, sorry. Integrity is part of information security.]
Stage 9 - cutting edge: whereas creative, experimental and innovative approaches to security awareness and training can come into play at all levels in a limited way, mature organizations that find good/best practises inadequate have little option but to push back the frontiers and strive for the ultimate. They go beyond best practice.  It's not really that best isn't good enough for them, rather they totally accept the value proposition for security awareness and see more to be gained by going beyond the obvious - for example, a genuine security culture means far more than the set of goals on some promotional poster. 
Stage 10 - dissolution: once information risk and security are utterly and deeply ingrained into the entire organization, there may be little need for a security awareness program as such. A strong security culture is inherently self-sustaining as vigilant, alert workers spot and react appropriately to information risks in an almost reflexive manner, hence paradoxically security awareness and training programs become less obvious at this level. The activities still occur but there is no longer any need to point them out since it is almost impossible to find any part of the organization, any person, any activity that is not inherently security-aware. Security has become "the way we do things around here". 
-------------------------
[OK, now, do you have that topic count I asked you for? The reason is that I suspect the number of topics might be a useful indicator of the maturity of an organization's awareness program. Simply divide your count by ten and check the correspondingly numbered stage, interpolating as appropriate. For example if your program has covered 14 topics since its inception, I would guess that puts you part way between stages 1 and 2. You probably exceed the criteria for stage 1 with some aspects of stage 2, perhaps even odd bits from later stages too. If your honest answer was zero, well I hope you would not be too surprised to be labeled a stage 0 organization! Notice the topic counts implied at the upper levels: here we're talking scores of topics, mostly likely spread over several years though since trying to squeeze too much into any one year is bound to be counterproductive: people will become confused and overloaded, tuning-out and disregarding the awareness messages. Notice I'm calling this an indicator, not a rigorous scientific metric based on known cause-and-effect relationships. There are conceivably fabulous awareness programs covering only a few topics, and crappy ones supposedly covering loads. However, I think as a general indicator it might be 'close enough for government work', and virtually free too - a valuable combination in security metrics.]
Regards, Gary (Gary@isect.com)
PS  I'd love to know whether the awareness maturity model is sound and whether the suggested indicator works for your organization. You don't need to disclose the number of awareness topics or the stage you believe you have reached - in fact if you are above the very bottom level you are hopefully security-aware enough to realize that such disclosure may not be a good idea. Nevertheless, I'm keen to know if it it sufficiently accurate and helpful for me to develop and publish this blog piece more widely. If not, how can I improve it? What have I missed or got wrong? Over to you ...
Categories: NoticeBored

NBlog July 1 - workplace information security awareness

NoticeBored - Fri, 06/30/2017 - 6:24pm


With a final dash for the finishing line, July's awareness module on workplace information security was successfully completed on time. It went out the door to NoticeBored subscribers yesterday afternoon. 

If you've been tracking this blog, you'll have a pretty good idea what it's all about but if not take a look at the this month page on the website.  


The listing below shows the variety of awareness materials in three parallel streams for three target audience groups:


That's another 85 Mb of awareness content in the bag, including two brand new and two updated model policies, rounding out our policy suite: 




With 70 model policies in the set, and over 60 awareness topics in the portfolio, it's getting progressively harder to think of new angles on information security to cover - difficult but not impossible.  
August's topic will be a brand new one for us: cyberinsurance. Although we've been quietly exploring it in the background, I'm looking forward to diving right in and immersing fullin in the new topic.
Truth is, I've had enough of workplace infosec. It was an interesting area to cover, more involved than I anticipated and surprisingly diverse when we got into it. But now I'm bored and need a new challenge. Looking forward, I predict July will go something like this:
  1. A week of or so deeper research, scoping the module and digging out reference sources.
  2. A good few days' analysis and thinking, deciding on the core messages and the 'awareness stories' - the threads that will lead people on a journey of discovery through the awareness materials. I'll be mind-mapping to figure out what are the main components and how they fit into the bigger picture. We'll come up with poster ideas too, a creative process that helps get us in gear for the remainder.
  3. An intense week or two of writing, proofreading, finalizing and delivering the content, leading up to the end of July deadline. 

First, though, we'll be taking a few days off. I have to rest, clear my head and catch up with the other stuff that has formed an unsightly heap in my workplace. I must nip to the dentist to get a broken tooth repaired, again. There's something to look forward to! 
Regards, Gary (Gary@isect.com)
Categories: NoticeBored

NBlog June 30 - interwoven strands

NoticeBored - Thu, 06/29/2017 - 11:16pm
Today I'm carving frantically away at the final piece of the jigsaw - the newsletter for July's awareness module on workplace information security.
Once we got down to it, the awareness topic turned out to be much more challenging than I anticipated. Instead of merely dusting the cobwebs off the five-year-old office security module, we have had much more to do than updating and refreshing the donor materials: the key reason is the dawning realization that several evolutionary developments have come together, materially changing the nature of both 'work' and 'workplace', in turn affecting the information risks and security controls. 
With just hours to go until our self-imposed end-of-month delivery deadline, I don't have the time to explain further at this point but I'll be updating the NoticeBored website soon with details on the new module, and once I catch my breath I'll update the blog. Sorry to be so cryptic.  More to come.
Regards, Gary (Gary@isect.com)
Categories: NoticeBored

NBlog June 29 - more than 5 years of ransomwareness

NoticeBored - Wed, 06/28/2017 - 11:56pm
We are in the final stages of preparing July's NoticeBored awareness materials on "Workplace information security".  Six cool new poster designs have come in from the art department so the staff/general employee stream is practically finished, aside from proofreading. We're working hard to complete the management and professional briefings and tying up a couple of loose ends, leaving just the newsletter left to prepare, right on cue. As usual, we've left it to the very end of the month to make the newsletter, and in fact the whole module, as topical as humanly possible.
The latest ransomware outbreak all over the news this week is a classic illustration of the value of the NoticeBored approach to security awareness. 
We've covered malware at least once a year since 2003, several times in fact since malware often crops up in awareness modules covering related topics such as social engineering, identity theft, phishing, fraud, email security and cybertage. Every time through the hoop, we endeavor to pick up on emerging risks and new trends ...
I've just done a quick search of the NoticeBored Back Catalog. We first brought up ransomware way back in 2012, mentioning it in several awareness materials. It may be in the headlines now, but it's old news for us and our subscribers.
Here's an extract from the NoticeBored staff briefing on viruses delivered in February 2012:

Ransomware was an obscure issue when it first came to our notice, a risk that has grown steadily until today it is patently substantial - a real and present danger as they say. Because of that it's easy to catch people's eyes with awareness content on ransomware today, and that's great because there are clearly still organizations and individuals who have yet to get the message, unfortunately. So, in March this year, our annual malware awareness update focused almost exclusively on ransomware, an entire module dedicated to ramsomwareness. 
Having said that, awareness of current risks and incidents is, in many ways, too late: employees and their employers need to be pre-warned so they have the chance to consider and address the risks before they get hit. I've said it before: forewarned is forearmed.
In the hope that it's not already too late for you, here's a freebie, a taster, with our compliments: a one-page 'scam alert' on ransomware from the March 2017 module.  
If you are still running around desperately trying to cobble something together to get the word out to your employees about ransomware, or worse still simply too busy to do anything at all on this topic, we can help
We have more than 50 Mb of top-quality security awareness content on ransomware ready-to-roll, today:

There are seminar slide decks, posters, briefings, an FAQ, a test, a glossary and more - a smorgasbord of ransomwareness content from which to serve up a tasty meal for your organization. Aside from the general employee awareness stuff, there is a stream of content written specifically for management (e.g. a model policy and metrics), and another more technical stream for professionals. It's all customer-editable, so you are very welcome to adapt it to your particular circumstances and corporate comms style. No need to pay somone else a small fortune to customize it for you, do it yourself. 
Email me, now, before it's too late!
Regards,Gary
PS  What are you doing to raise awareness on workplace information security? Is it even on your risk-radar, let alone your to-do list?
Categories: NoticeBored

NBlog June 28 - branding security awareness

NoticeBored - Tue, 06/27/2017 - 8:01pm
I find brands fascinating. We are immersed in a heavily branded world, surrounded and constantly bombarded by brands. They are thrust at us through advertisements and emblazened on product packaging. Many are really quite crude and obvious - childish graphical logos in bright primary colors, simplistic tag lines, annoying jingles and endless endless repetitition. Others are far more subtle and sophisticated. The very best take subtlety to the point that we no longer appreciate we are being coerced, be we are, oh yes we are. 
Brands go well beyond the logos, jingles and taglines, taking in very diffuse perceptions about the organizations and their products in general - myriad aspects such as quality, price, reliability, innovation and, most of all, trustworthiness. Most of us are loyal to certain brands while avoiding others (brands can be liabilities as well as assets), spreading branding's influence into the social sphere as we demonstrate and discuss our preferences with friends. We even delude ourselves, quietly accepting and downplaying faults with our favorite branded products and yet pointing out even small flaws in hated brands. The prejudices run deep.
Notwithstanding that comment about liabilities, brands are extremely valuable for organizations, and not just in the commercial sphere: take any political party, for instance, or politician. Well OK there is of course a financial undercurrent but public perceptions and trust are crucial to being (re-)elected. Same thing with sports teams, even religions. Corporate departments and functions also have brands though they are seldom deliberately managed. Individuals have brands too - think of, say, Richard Branson, Kim Kardashian or Donald Trump. Regardless of what you personally make of them, merely mentioning certain well-known names without any context instantly conjurs up a cloud of perceptions, beliefs and expectations, some of which have almost certainly been deliberately fabricated or manipulated by those people plus their allies and opponents. The investment is huge.
So, how does all that relate to security awareness? 
The obvious place to start is the dreaded logo. Awareness programs normally have some sort of logo - often, it has to be said, lame ones involving padlocks, chains and binary numbers. With a bit of thought and effort, we can do much better than that, in fact a challenge or contest to come up with a decent logo is itself a valuable awareness activity - something we probably ought to do to update the rather drab and lifeless ISO27001security.com logo!
But hang on a moment, what is the logo meant to express? What are the perceptions and values we'd like to associate with the awareness program? If we leap right in with a logo, we've missed out a crucial step. As I said earlier, there's more to branding, more to consider, more to plan. 
It's worth spending quality time with marketing professionals to explore and understand the entire package before designing the packaging.
Creativity can be stimulated through various activities, techniques and approaches, especially if there are naturally creative people on the team or co-opted to it - and by the way, 'the team' is itself a valuable concept in the context of security awareness. Who is or is not on the team? What draws them to want to belong and hopefully participate? Who are the opposing teams? What are the team colors? When do they get together to wave their flags, chant the team chant and hopefully celebrate success on the field? What is success, in fact? What does it look like? How does it make you feel? 
That brings us to those tag lines supporting and giving meaning to your logo. If you had to sum up information risk and security (or whatever) in a short, memorable, meaningful phrase, what are the fewest, most expressive words you can come up with? Shortlisting and deciding between your tags is another part of the branding process, another opportunity to get creative and solicit inputs from other parties. Does "cybersecurity" do it for you? How about "protecting and exploiting information" or "safety and security"? Are we focused on locking things down to prevent the badness, or setting things free to release the goodness? The subtleties of our field are worth exploring, within your organization and its culture - which is yet another angle to this, along with maturity since culture is both an emergent and an evolving concept. 
Hopefully I've got you thinking so I'll stop here and return to the day-job, but there's much more to say and I'm sure I'll come back to this later. Meanwhile, the comments are open. I'm dying to learn new tricks. Go ahead, make my day (now that's a tag line!). 
Categories: NoticeBored