Picking up on a spurious comment from yesterday, our graphics team jumped at the chance to turn the concept of a wild west WANTED poster into reality. So, with just that poster left to complete, we're fast approaching the finishing line after another successful month's work. Here's the contents listing with all those juicy ticks meaning 'prepared': Given that we hadn't covered this topic before, and it is such an unconventional topic for security awareness, it was quite hard to define the scope and purpose of the module and clarify the key awareness messages. Hey, that's innovation for you, risky business!  We managed the risks by researching, planning, reviewing and in some cases adjusting our plans on the fly. The approach and process we're using has evolved since our awareness service was launched onto an unsuspecting world back in 2003, in fact earlier than that: I have been 'doing' security awareness for employers and clients for nearly 3 de...

Today while completing the final drafting, we further refined the scope and clarified the purpose of the awareness module. It has evolved in the course of production and ended up looking like this: Innovation has two distinct phases - theory and practice: First comes creativity and inventiveness, the spark of original thought that that might, at least theoretically, turn out to be practical and valuable enough to be worth exploiting; Next comes the effort required to develop and evaluate an idea, putting it into practice and so gaining the benefit. Having just called them distinct phases, they can overlap in the sense that the innovation process is iterative: when first imagined, ideas tend to be indistinct and incomplete. The documentation and evaluation activities lead to the idea being gradually clarified and refined, while the practicalities of implementation often involve revisiting the design, and further brainstorming.  In fact, both phases of innovation are creative. As I g...

The final two pieces of awareness material for the security innovation module's management stream fell neatly into place today.   I've developed a kind of maturity metric for security innovation - a simple, consolidated measure that literally 'takes account' of the mesh of factors at the intersection of information security with innovation and creativity.  The GQM approach Krag and I teach through our PRAGMATIC security metrics courses is ideal for this. Elaborating on the business goals in the subject area is the starting point, leading naturally on a set of questions arising, which in turn become rows in the scoring table at the core of the metric . The metric is systematically defined using our standard template, adding details such as who performs the measurement, how and when they do it and to whom it gets reported. The PRAGMATIC score followed by a brief assessment of the pros and cons of the metric completes the picture, rounding-out a reasonably succinct yet ...

With just days remaining until the March 31 st deadline, the general staff security innovation awareness materials are almost finished, the management stream is well in hand and the professional stuff is, well, sulking in a dark corner until I clear enough head-space to push on with that. Thankfully most of the heavy-lifting is complete at this point. The key awareness messages have crystallized out already leaving just a few remaining thoughts rattling around loose in my skull - it's merely a case of capturing them before I forget! Always one of the final items to prepare every month is the newsletter. We have a sketchy view of its structure and a few odds-n-sods of content tucked away already, including snippets culled from public materials during our research over the previous few weeks - relevant quotes, interesting news items, that sort of thing. From time to time I have toyed with using note-taking apps to grab snippets and the source references directly from the web pages, ...

Today we completed the four page train-the-trainer guide for the next awareness module.  As always, we've conjured up a good bunch of suggestions to make the security awareness program even more effective - our own modest effort to foster creativity and stimulate innovation. If this blog has set you thinking, you'll love the ideas laid out each month in the train-the-trainer piece. Some are awareness activities, events and things to do with your audiences in connection with the monthly security topic. Others are more general methods (and Hinson tips !) to get business managers and other colleagues further on-board with information security, building not just a loose extended web of social contacts but a tight-knit core team of highly influential and supportive colleagues - security friends. This approach is especially valuable if you constitute "a team of one" with sole responsibility for security awareness, perhaps even a part-time with a million other things to do a...

The staff briefing paper on security innovation is 'done'.  Writing it reminded me of the flaming Samsung Galaxy Note 7 debacle from 2016, a neat example of risks associated with 'bleeding edge' high technology that I'm sure most workers will recall.   Samsung is back in the news now, apologizing to shareholders for the incident and a separate bribery scandal. Given the direct costs, reputational damage and brand devaluation, it's a neat way to illustrate the commercial risks of innovation for management too. Introducing relevant news from the general media into the security awareness content, especially while it is fresh, is a deliberate part of our strategy. We're not only highlighting the topical information risk, security and other angles in the particular news pieces but also more subtly encouraging people to consider those same perspectives whenever they catch the news. At some future point, there is bound be another headline-grabbing news story concer...

Given my interest in metrics , I'm always on the lookout for statistics relevant to the monthly topics to incorporate into and illustrate our awareness materials. It's hard, though, to find credible figures that we are prepared to pass along to our customers. There are plenty of numbers tossed around but few of them have any substance - at least not enough to satisfy my admittedly rather cynical inquiry. Take this paragraph, for instance, by Bill Taylor-Mountford , lifted from one of the many marketing blogs promoting companies sponsoring the RSA conference:  "When ransomware took centerstage a few years ago, we failed to anticipate its magnitude and severity. 2016 was the year when ransomware dominated headlines as it exploded to become one of the biggest security wakeup calls for CXOs. That year the FBI estimated that ransomeware could be a $1 billion source of illicit income for cyber criminals, and, a survey by Osterman Research showed that 39 percent of organizations...

Progress!  The staff seminar quickly spawned a management seminar with a few content changes to suit a different audience with different interests and concerns. We've picked up on cloud computing, for example, an innovation with strong security implications. Cloud computing is of limited relevance to staff but is of interest to managers in organizations that have it in use already, whether or not they explicitly sanctioned it as a corporate initiative. Given the headlong rush to get into the cloud, are the associated information risks and opportunities being professionally managed, alongside the technology, commercial and other aspects? Raising management's appreciation of the typical concerns in this area is a valuable outcome of the awareness program, compared to the alternative i.e. ignorance, perhaps even reckless abandon! The commercial aspects of innovation are also of direct interest to management. This includes the proliferation of dark-side services supporting criminal...

Nothing much to say today - we're too busy working on the security innovation awareness materials. The staff seminar is done, and is now in the process of being adapted/extended for the management and professional seminars. The speaker notes also form the basis of the accompanying briefing papers/handouts.

As part of the background research for next month's awareness module on 'email and messaging security', I figured it is about time I got to grips with secure email. You'd have thought I'd be on top of it already, given that my career started nearly 30 years ago with email system administration and then information security! Truth is, I've managed OK without it until now. The few times I have really needed to send secure email, I have either used a secure webmail facility provided by the client or achieved the same ends using AES-encrypted WinZip archives, sharing the secret password off-line. Now, I find myself needing to communicate securely with a company that doesn't offer secure webmail but does (allegedly) use PGP for secure email. Hmmm. Today I re-discovered a key reason for not bothering with secure email - the very same reason that has caused me to try, fail and give up previously. The process of configuring MS Outlook - a commonplace, mainstream ema...

After a weekend on the farm, I'm back to the day-job, preparing April's awareness module on 'security innovation'. The scope of this module is becoming clearer day-by-day. Two perspectives, in particular, stand out because of their relevance to information risk and security. Here's a scope/introductory slide from the staff seminar: First there's the invention and creativity angle, including the creation, exploitation and protection of intellectual property. We have covered Intellectual Property Rights several times already so we could dip into the library of content for something suitable to repurpose this month. However I brought up patent trolls a few days ago, a new topic that avoids regurgitating old content. We can refer to IPR in general terms without going into detail, then expand a little on patent trolls. Secondly, there's the issue of both driving and responding to changes. Again, we've covered change management before so there may be general b...

A sunny Sunday was my chance to repair an ancient 7 wire fence - so old in fact that it had become a 6 wire fence: the bottom wire ran on or in the ground and had largely corroded away.  Full grown sheep can't limbo underneath it but their lambs do, becoming separated from their mums and soon expiring unless they find their way back in time for a feed.  Meanwhile, the ewes generally wander off, seemingly oblivious to the pitiful bleating from the other side of the fence. Last Spring, a fluffy newborn lamb slipped under the fence and promptly got entangled in a blackberry bush. Luckily Deborah heard the bleating and rescued her just in time.  Naturally, we call her Bramble.  She's doing fine and will soon have lambs of her own. On days like today, I love my office.

A blog mentioning patent trolls reminded me that inventions may be patented, opening up several innovation-related information risks and opportunities. Hmmm, that's something else to bring up in the management stream this month - intellectual property rights protecting creative expression and innovation. Meanwhile, there are sheep to shear and fences to mend. So long as the rain holds off, it's a good weekend for 'outside jobs' ...

The staff awareness seminar slide deck on 'security innovation' is coming along nicely.  That image of two sectioned heads on the second slide will introduce the ongoing battle of wills between the white and black hats, in which innovation and creativity plays a central role on both sides. We've incorporated a selection of innovation-related images already, and we'll be adding real world examples (like that intimidating Reaper drone in slide 12) to illustrate and reinforce key points. We're planning to say something towards the end about promising security innovations which means scanning the landscape for news of novel security products and services, innovative approaches to security and creative ways to address information risks. I have a couple in mind already but further suggestions are always welcome. While it would be nice to be able to explain cutting-edge security advances such as quantum crypto, I'm keen to find simpler, more easily understood examples ...

I've said quite a lot about our monthly cycle. We find a month long enough to explore an information risk and security topic in some depth, and yet short enough to avoid terminal boredom for us and our clients' awareness audiences. There are two longer cycles too.  A few topics get brought up every year because strong security awareness is such an important and valuable control in the obvious areas such as: Malware Social engineering  Physical security Other awareness topics are dusted off and refreshed every so often too - things such as: Securing portable IT devices Cryptography including authentication and access control Privacy Fraud Patching, version control, change management and so on.  Although it's not as critical for everyone to know all about them, a general appreciation is beneficial so these get updated every few years. As well as covering specific topics, there are more fundamental themes such as: Information risk and security (of course!) Governance Compli...

Distracted by some amusing mathematically inspired comments from friends relating to Pi-day, I've stumbled across an infamous article about the magic number 7 , originally published back in 1956 by George A. Miller, a cognitive psychologist. Not being a cognitive psychologist myself, I skimmed briefly through it ... but the final few words caught my eye: George said "I suspect that it [meaning the obsession with 7] is only a pernicious, Pythagorean coincidence". What a nice way to put it!  If you too are not a cognitive psychologist, you might find the Wikipedia version more accessible. It is often suggested that we should stick to 7 things when presenting in the sense that 7 is allegedly the most points we should expect an audience to appreciate and hopefully remember. It could be called an urban legend. Some people say the magic number is 5 or 3 or 10 ... so I guess the more general version is is "a small number" or "a handful" of things, and that...

A throwaway comment towards the end of yesterday's blog sent me scurrying down a rabbit hole, well more of a warren really. What is DevOps  and how does it relate to security innovation? In short, as I understand it, DevOps involves integrating and tooling-up development and operations teams so they collaborate in a more effective and efficient way, thus reducing the cycle time between conventional software releases while also delivering better, more resilient and more manageable IT systems. Sounds great, right?  Oh but hang on a moment. Haven't we seen this kind of thing before? Isn't DevOps just another movement, a buzzword not unlike Agile Waterfall Cloud Lean ITIL and more ... none of which turned out to be the Ultimate Solutions their vocal proponents enthusiastically implied or claimed. They did however deliver philosophies, strategies, elements, approaches and tools that proved somewhat useful and valuable.  Truth is they all have their strengths and weaknesses, op...

The awareness messages relating to 'security innovation' are slowly crystallizing, prompted in part by the thinking behind this month's evolving risk-control spectrum diagram: The diagram shows two overlapping bands of risk: On the one hand, failing to adopt and exploit novel technologies or other forms of control constitutes missed opportunities to the organization, depending on how often and to what extent that occurs.    On the other hand, pressing ahead too quickly with immature technologies etc. increases the risks of failures and costs arising. Both those risks can be controlled through suitable strategies, policies and approaches concerning the management of information risks. A highly risk-averse organization is likely to be conservative in its choice of security technologies, for instance. While it may avoid the dangers of getting into unfamiliar territory, it may also be missing out on viable business opportunities and failing to address information risks. Convers...

We've enjoyed a weekend off, worn out by the effort of coming up with a bunch of ideas for the next set of security awareness posters last Friday.  Trust me, it's not easy to design six new posters every month.  How would you picture "security innovation"? Seriously, think about that for a moment.* If you suggested a Google image search, go straight to the back of the class. Copying someone else's design without their permission would be intellectual property theft, and even plagiarising one or using something 'for inspiration' is not exactly ethical.  Besides which, it's not very innovative or creative, is it? Repackaging someone else's content is like shoving old shoes in a new box. They are still old shoes. This issue crops up repeatedly in relation to awareness and training materials in general. Google can help us find plenty of content, no problem, but despite being 'free' it carries a cost: Unless it has been explicitly released by it...

Well here we are on the tenth of the month already with April's awareness module looking disappointingly sparse at this point: Nothing is actually finished as yet (no black ticks) but there are several items on the go and the thinking is in full swing. The 'train the trainer' piece is the furthest advanced, thanks to two parts. The scope and purpose of the awareness module is taking shape (looks like the name of the module might be "Security innovation"), and we've come up with some creative and innovative ideas for security awareness - quite a few in fact. After furiously writing a page of bullet points I had to take a break in order to get on with other things. Those 'other things' included discussing some potential ISO27k consulting work with a new client and trying to find out what happened to a previous metrics consulting/training proposal that plummeted into the deep dark depths of the NZ government official tendering process. [Conveniently, the ...

Aside from the obvious effects on the agency and the US government, today's Wikileaks disclosure concerning the CIA's capabilities to hack various technologies is a global concern for our “industry”, or rather our profession, our craft, taking in the information risk, security and related fields (such as business continuity, privacy and compliance) as a whole.  At a high level, major incidents reflect badly on all of us and are embarrassing … and yet scratching beneath the surface things invariably get more complex and convoluted in practice. There are reasons why things happened and were not avoided, identified, blocked or mitigated. We are where we are in the industry as a result of all that has gone before, including long-term cumulative effects of a gazillion decisions and events and developments along the way, not all of which were ours ( e.g. cloud computing, BYOD and IoT/IIoT are three classic examples of areas where information security pros are openly concerned abo...

The next awareness topic is security innovation  so today I've been thinking up innovative approaches for security awareness to include in the module's awareness activities paper. "When the classic strategies aren’t delivering, you send in the guerrillas. They’re the extra-special forces – the ones that implement killer strategies to turn the tide and defeat the enemy."   WordStream Guerrilla and viral marketing suggest a deliberately unconventional approach to security awareness. Instead of overtly promoting information security, privacy, compliance and related matters as usual, awareness messages may be circulated covertly, passed-on discreetly by word of mouth and social media. Think best-kept-secret, not megaphone marketing. Branded suck-blankets and comforters rather than ordinary security posters.  Eye-catching visual jokes (think Escher , Heath-Robinson or Dali ) may spark the imagination, making people laugh and think. Other possible hooks aside from art ar...