Security awareness lessons from Pokemon

August's security awareness topic is "pocket ICT security", referring to the information risks associated with portable Information and Communications Technology devices: the smartphones, laptops, tablets, USB sticks, wearables and other high-tech stuff we carry about our person.

Risks such as walking into the road and being hit by a car.

Yes, seriously. 

It is both on-topic and highly topical in the case of Pokemon Go players, young and old, being so focused on the virtual world on the smartphone screen that they neglect the real world hazards around them. The lucky ones are spotted and avoided by alert drivers. The unlucky ones are injured, perhaps even mown down by a vehicle driven by a similarly distracted driver.

Distraction is the more general information risk, a modern-day affliction. The more portable ICT we use, the more distracted we become. Wearables are the latest trend, long predicted but curiously slow to take off, perhaps because of the distraction factor? Or is it just that the Killer App has yet to appear?

August's awareness module delivers another 200 Mb of fresh awareness content, almost all of it researched and prepared within the past few weeks:
  • A train-the-trainer guide with creative advice on making good use of the materials;

  • A newsletter, using recent news clippings to illustrate the risks;

  • Three awareness seminar slide decks (one each for staff, managers and professionals), mostly graphical with few words on the slides and detailed speaker notes;

  • Six high-resolution awareness posters and six diagrams (mind maps and example metrics) suitable for professional printing, or to incorporate into other materials;

  • Three security policies and a procedure;

  • Several awareness briefings explaining things that are relevant to and hopefully resonate with the intended audiences;

  • A security metrics paper proposing and discussing several relating to portable ICT - useful whether you want to prove that everything is under control or to identify and justify systematic security improvements;

  • An FAQ, word-search challenge, awareness survey, quiz and case study supporting the learning process and awareness program;

  • A comprehensive hyperlinked glossary of information risk and security terms, highlighting those that are especially pertinent to pocket ICT;

  • An ICQ (Internal Controls Questionnaire) with which to review or audit the organization’s risks and controls in this area.
The materials are mostly MS Office files, supplied camera ready but unlocked (without Digital Rights Management), making it simple for subscribers to tweak or customize themselves ... in fact we actively encourage them to adapt the materials to their specific requirements. That might be as straightforward as selecting a few bits-n-pieces, replacing the placeholder logo with their own security awareness branding and updating the 'contact us for more info' details in each of the materials, or it could involve more substantial changes (e.g. if BYOD is totally forbidden, rather than being authorized by management as appropriate). 

Either way, it's much easier and cheaper just to adapt the supplied content than to research, prepare, proof-read and finalize everything from scratch, assuming a suitable technical author is immediately to hand - someone who has the qualifications, experience, competence, creativity and track-record in security awareness. Good luck finding someone suitable and willing to step into that role for anything remotely approaching the cost of our materials. Industry surveys tell us the information security jobs market is heating up rapidly as demand outstrips supply. One year's salary for an infosec awareness professional would buy the average organization enough awareness materials for decades, literally.