Awareness case study how-to
Presumably the cretin who sent me the email below thinks putting it all in bold and Capitalizing Every Word will somehow convince me that I really do need to Validate My Mailbox to avoid Loss Of Important Information ...
At least this phisher can spell, although his/her grammar still needs more work (7/10 See me later).
While we didn't discuss phishing, specifically, in this month's security awareness module on trust and ethics, fraud was mentioned a few times (briefly, since we have a separate awareness module dedicated to the topic). Phishing is, however, a familiar, everyday example of attempted fraud, and the ethical aspects are undeniable.
Emails such as the one above can easily be turned into case studies for awareness purposes, and here's how we do it:
1. Open your MS Word case study template* ready to create a new case study.
2. Open the email (or news report or incident report or whatever).
3. Copy-n-paste the text from the email into the 'scenario' section of the case study.
4. Trim and edit the scenario to remove or disable any links to potentially fraudulent and/or infectious websites, and any personal data (important!).
5. Think up some open-ended questions arising from the email that relate to the monthly security awareness topic and write them down with spaces for people to jot down their answers. You don't need many - we find three is about right.
6. Over the page, think up and write down your 'model answers'. Bring out the security aspects of the case. Consider alternative perspectives (particularly on any contentious aspects) and related issues. Make it clear that other answers are equally valid. Refine the questions if appropriate.
7. Organize, schedule and promote your case study session/s in suitable venues and contexts (e.g. either standalone sessions or as part of security seminars, induction classes, team meetings, brown-bag lunch sessions or 'town hall meetings', after-work security clubs ...). Make an effort to get people intrigued and keen to come along and participate - merely informing them about the place, date and time is not enough. Without giving too much away, drop big hints about the scenario and issues to be discussed. Dip into your awareness budget to bribe them with coffee and donuts or pizza, if you must, and offer suitable prizes for various behaviors that you want to encourage (e.g. the most creative, novel, insightful or funny comments). Arrange for and brief suitable helpers if the group is too large for one person to handle.
8. At the session, introduce and present the scenario, using your pre-prepared questions to set people thinking. If possible, have people from the audience read-out or role-play the scenario to bring it to life. Hand out your prepared case study materials (preferably just the first side). Divide the audience into subgroups of about 5 or 6 people (venues with separate tables to seat small groups work well- breakout rooms aren't usually necessary since groups all in the same room will feed off each other's energy). Make sure everyone understands the process and knows how long they have (set a time limit of about 10 minutes).
9. Circulate between the sub-groups to check that everyone is participating, that the discussions are lively and engaging, and to address any queries about the case or the process, making mental notes about specific issues of concern or information security angles that hadn't occurred to you already. Remind them of the time limit and persuade them to address all the questions.
10. Bring the whole group back together to talk about the scenario, using the pre-prepared model answers and your mental notes to get the discussion going. Give every sub-group a chance to speak. Chat through their responses, elaborate on the information security aspects of the case, and encourage the quieter ones to speak up (which may mean asking their more vocal colleagues to hold back and give everyone a chance). Pick up on contentious comments to polarize and stimulate the discussions. Hand out your model answers if appropriate (it's not normally necessary if the session has been a roaring success). Select the winners and award the prizes. Ask whether people want to do this again, and if so what kinds of topics they would most like to cover.
The basic process outlined here is of course just a start: there are many ways to make your awareness sessions more engaging, more interesting, more fun and most of all more memorable and hence effective in awareness terms. The 'train-the-trainer' paper in every NoticeBored module offers all sorts of tips and suggestions aimed at whoever is running the awareness program, and Rebecca Herold's wonderful security awareness book is highly recommended. You may have access to experienced HR and training professionals to help plan or run your sessions, and there are plenty of generic books and Web resources to draw upon.
Try it. It's fun!
* We create and use templates routinely for all our awareness materials, mostly to save time and improve consistency because we are producing the same kinds of things every month. Templates are also a great way to refine the boilerplate text, systematically capturing creative ideas or inspiration that occurs when writing new content, hence some of our templates get updated several times a year.