Innovations awareness

Picking up on a spurious comment from yesterday, our graphics team jumped at the chance to turn the concept of a wild west WANTED poster into reality. So, with just that poster left to complete, we're fast approaching the finishing line after another successful month's work.

Here's the contents listing with all those juicy ticks meaning 'prepared':

Given that we hadn't covered this topic before, and it is such an unconventional topic for security awareness, it was quite hard to define the scope and purpose of the module and clarify the key awareness messages. Hey, that's innovation for you, risky business! 

We managed the risks by researching, planning, reviewing and in some cases adjusting our plans on the fly. The approach and process we're using has evolved since our awareness service was launched onto an unsuspecting world back in 2003, in fact earlier than that: I have been 'doing' security awareness for employers and clients for nearly 3 decades, so I'm well-practiced. At the same time, the field as a whole is still evolving, along with adult education in general, so I'm always on the lookout for new tricks. 

Updating this blog is helpful too, in the sense that it forces me to think more carefully about the process rather than us simply slogging away, noses to the grindstone like normal. I hope you're finding it interesting and worthwhile, especially of course if you are either doing awareness or perhaps getting ready to launch your own awareness program. Have we inspired you to get more creative and try new approaches - to innovate? Have any of our ideas particularly resonated with you? Is there anything you'd like me to bring up? We'd love to hear from you. Please take a moment to comment or email me. Even just clicking one of the rating boxes below tells me you are still awake! Conversely, if nobody values this stuff enough to respond, perhaps I should give it up and put the time into something else ...

Meanwhile, we've proofread the module and will soon be packaging it up for delivery to subscribers. I'm conscious that this isn't the end of the story. The second phase of the innovation process is implementation and exploitation, hence I'm wondering what our customers make of the new materials and how effective they turn out to be in practice. 

So that's it from me for March. After a miserable rainy week, the NZ sky is blue, the sun is bright and the weekend beckons.

Security innovators wanted

Today while completing the final drafting, we further refined the scope and clarified the purpose of the awareness module. It has evolved in the course of production and ended up looking like this:

Innovation has two distinct phases - theory and practice:

1. First comes creativity and inventiveness, the spark of original thought that that might, at least theoretically, turn out to be practical and valuable enough to be worth exploiting;
2. Next comes the effort required to develop and evaluate an idea, putting it into practice and so gaining the benefit.

Having just called them distinct phases, they can overlap in the sense that the innovation process is iterative: when first imagined, ideas tend to be indistinct and incomplete. The documentation and evaluation activities lead to the idea being gradually clarified and refined, while the practicalities of implementation often involve revisiting the design, and further brainstorming.  In fact, both phases of innovation are creative.

As I got towards the end of the professionals' awareness briefing paper, I needed a way to draw it to a conclusion. Thanks partly to strong coffees and looming deadlines, a half-formed thought from a few days ago sprang back to mind and over the space of an hour or so morphed into a 'wanted notice' for security innovators. 

From that point it was quite straightforward to prepare one of our standard one-page job descriptions, embedding a illustration blending creativity with security.  

Security innovation metrics

The final two pieces of awareness material for the security innovation module's management stream fell neatly into place today.  

I've developed a kind of maturity metric for security innovation - a simple, consolidated measure that literally 'takes account' of the mesh of factors at the intersection of information security with innovation and creativity. 

The GQM approach Krag and I teach through our PRAGMATIC security metrics courses is ideal for this. Elaborating on the business goals in the subject area is the starting point, leading naturally on a set of questions arising, which in turn become rows in the scoring table at the core of the metric.

The metric is systematically defined using our standard template, adding details such as who performs the measurement, how and when they do it and to whom it gets reported. The PRAGMATIC score followed by a brief assessment of the pros and cons of the metric completes the picture, rounding-out a reasonably succinct yet thought-provoking paper worth talking through with management. Regardless of whether the metric is actually adopted in the end, the thinking and discussion around it satisfy the security awareness objective. Job done!

The final management piece for the module is an 'elevator pitch' - just 100 carefully chosen words summing up the module's main security awareness messages for busy senior managers. Although it took me less than an hour to get those 100 words down on paper, they are the culmination of several months' research and thinking. The pitch is more than just a helicopter summary: it's main purpose is to catch the reader's imagination and stimulate them to consider the topic, thereby priming them for subsequent informal conversations with colleagues - socializing security in our terms, also part of the awareness objective.

No time to lose, the professionals' materials need to be completed sharpish. Pop by tomorrow to see how they pan out.

Innovation awareness

With just days remaining until the March 31st deadline, the general staff security innovation awareness materials are almost finished, the management stream is well in hand and the professional stuff is, well, sulking in a dark corner until I clear enough head-space to push on with that. Thankfully most of the heavy-lifting is complete at this point. The key awareness messages have crystallized out already leaving just a few remaining thoughts rattling around loose in my skull - it's merely a case of capturing them before I forget!

Always one of the final items to prepare every month is the newsletter. We have a sketchy view of its structure and a few odds-n-sods of content tucked away already, including snippets culled from public materials during our research over the previous few weeks - relevant quotes, interesting news items, that sort of thing. From time to time I have toyed with using note-taking apps to grab snippets and the source references directly from the web pages, PDFs etc. ... but somehow there's never quite enough benefit to justify really getting to grips with the apps, so I fall back on simple plain text files (barely one step up from scraps of paper and a pen!). 

The newsletter revolves around the news, of course, the more 'topical' the better, both in terms of being on-topic for our chosen area of concern, and recent, within a few days ideally or a few months at most. We're not in the business of re-hashing old news or 'fighting the last war': awareness, teaching and training materials have to be bang up-to-date otherwise we might as well hand round a few dusty old textbooks and head to the bar. Aside from anything else, old news is like old chewing gum: stale, tasteless and you can't seem to shake free of it. 

Another thing that often happens around this time of the month is that we rationalize the content for the three distinct audiences. Some of the things we've brought up in the staff stream, for instance, turn out to be inappropriate for the general audience, perhaps too detailed, technical or conceptual for most people. Usually it's a simple matter of cutting a slide or two from the staff seminar and pasting it into one or both of the others. Sometimes it involves updating the wording to change the emphasis a bit, perhaps picking up on a different perspective. The net result is a reasonably balanced suite of materials, meaningful to the respective audiences and yet with enough touch points to prompt conversation between them.

Innovation awareness activities

Today we completed the four page train-the-trainer guide for the next awareness module. 

As always, we've conjured up a good bunch of suggestions to make the security awareness program even more effective - our own modest effort to foster creativity and stimulate innovation.

If this blog has set you thinking, you'll love the ideas laid out each month in the train-the-trainer piece. Some are awareness activities, events and things to do with your audiences in connection with the monthly security topic. Others are more general methods (and Hinson tips!) to get business managers and other colleagues further on-board with information security, building not just a loose extended web of social contacts but a tight-knit core team of highly influential and supportive colleagues - security friends. This approach is especially valuable if you constitute "a team of one" with sole responsibility for security awareness, perhaps even a part-time with a million other things to do and hardly any resources or support. You are not alone!

In place of the usual awareness quiz, this month we're presenting a challenge: it's similar to the quiz with the same central objective of people enjoying themselves as a team-based social exercise, thinking, talking and learning about information security, but with a slightly different format. Given the topic, we're hoping to get them thinking creatively, inventing and discussing potential innovations in the context of information security. There is unlikely to be sufficient time and energy to take their innovations to the next step (although it would be great fun to get the teams making cardboard mock-ups, acting out new processes or whatever!), so the briefing ends with a brief heads-up on the remainder of the innovation process.

Who knows, some bright spark might just invent the ultimate mouse trap!

Staff awareness on security innovation

The staff briefing paper on security innovation is 'done'. 

Writing it reminded me of the flaming Samsung Galaxy Note 7 debacle from 2016, a neat example of risks associated with 'bleeding edge' high technology that I'm sure most workers will recall.  

Samsung is back in the news now, apologizing to shareholders for the incident and a separate bribery scandal. Given the direct costs, reputational damage and brand devaluation, it's a neat way to illustrate the commercial risks of innovation for management too.

Introducing relevant news from the general media into the security awareness content, especially while it is fresh, is a deliberate part of our strategy. We're not only highlighting the topical information risk, security and other angles in the particular news pieces but also more subtly encouraging people to consider those same perspectives whenever they catch the news. At some future point, there is bound be another headline-grabbing news story concerning innovation, invention or whatever that will hopefully remind workers of this month's topic, another win for the awareness program.

The one point graph

Given my interest in metrics, I'm always on the lookout for statistics relevant to the monthly topics to incorporate into and illustrate our awareness materials. It's hard, though, to find credible figures that we are prepared to pass along to our customers. There are plenty of numbers tossed around but few of them have any substance - at least not enough to satisfy my admittedly rather cynical inquiry.

Take this paragraph, for instance, by Bill Taylor-Mountford, lifted from one of the many marketing blogs promoting companies sponsoring the RSA conference: 

"When ransomware took centerstage a few years ago, we failed to anticipate its magnitude and severity. 2016 was the year when ransomware dominated headlines as it exploded to become one of the biggest security wakeup calls for CXOs. That year the FBI estimated that ransomeware could be a $1 billion source of illicit income for cyber criminals, and, a survey by Osterman Research showed that 39 percent of organizations in some of the world’s largest superpower countries were hit by a ransomware attack. Other reports show that Asia Pacific suffered more than 10 million ransomware attacks in the first half of 2016 alone."

So according to Bill, ransomware "exploded" in 2016, as indicated by:

• The FBI estimating that ransomware "could be a $1 billion source of illicit income for cyber criminals". In the course of preparing this month's awareness module on ransomware, I hunted for the source of that $1bn estimate. All I have been able to find is a throwaway comment ascribed to an unnamed FBI source by a journalist in the cited CNN news piece under a dramatic headline "Cyber-extortion losses skyrocket, says FBI" which, in turn, cited an earlier CNN piece "'Ransomware' crime wave growing". Tucked away in there we find this snippet: "The FBI says it received 2,453 complaints about ransomware hold-ups last year, costing the victims more than $24 million dollars." Presumably someone has extrapolated from $24m in 2015 to $1bn in 2016. Wow! The $1bn figure has been widely repeated ever since as if it was a hard, proven fact. It is easy to think up a random number while, thanks to the nice round figure "a billion bucks" having a certain cachet, it has spawned an Internet meme, fueled by no end of individuals, journalists, marketers and organizations repeating it ad nauseam;
• The cited Osterman Research survey was conducted on behalf of an antivirus company (the same company, I notice, that features prominently in those CNN pieces ...) and used by them for marketing purposes, hence I would be surprised totally amazed flabbergasted gobsmacked if the survey was not designed to demonstrate how valuable their antivirus software is, for example grossly inflating the size of the problems they claim to solve. Furthermore, they surveyed about 500 IT managers in American, Canadian, British and German companies - none it seems in the Asia Pacific region that Bill was specifically blogging about. There are other issues with the survey, typical of its kind. We aren't told how the sample population was selected for the survey but there's a fair bet it consisted of current or prospective customers of the antivirus company - most likely a self-selected sample of people willing to click a few buttons on a web survey, not a random sample - which thereby invalidates many statistics and calls the whole thing further into question;
• Bill ended the paragraph by referring tantalisingly to "other reports", making no attempt whatsoever to identify them. We cannot assess the claimed "more than 10 million ransomware attacks [in Asia Pacific] in the first half of 2016". For all we know, that's another figure plucked out of thin air. Personally, I try hard to discount such unsubtantiated claims out of hand, although something once read cannot be un-read so it is another little piece of tripe festering at the back of my brain - and yours too, I'm afraid, since even if you didn't catch the original blog, I've repeated it here. Sorry, I'm part of the problem! Hopefully that mental image of festering trip is powerful enough to trump the statement.

The emotive term "exploded" clearly implies that the ransomware problem was much less before 2016, and yet Bill fails to substantiate that. This smells a lot like one of those one-data-point graphs: place a dot somewhere on the graph, connect it to the origin at bottom-left by a line, and project it forward as far as you like. In reality, we can only guess where the Y-axis crosses the X-axis, and as for the nature of the relationship and hence the linearity of the line, well with only the one limited data point to go on, good luck defining anything since an infinite variety of possible lines pass through that single point. Worse still, as I've been saying, the one data point itself has a distinctly dubious pedigree and doesn't qualify as "data" (not even under Doug Hubbard's deliberately liberal interpretation). Hence whether the problem "i" in 2016 in any meaningul, literal sense looks like mere speculation to me, hyperbole designed to fill column-inches. 

"Oh but it was informed speculation" I hear you thinking out loud. "It came from the FBI!".  As we Kiwis say, "Yeh, nah."

I am prepared to accept that ransomware is a current issue, fair enough. It has certainly received quite a lot of media coverage in the past year or so, if not actually 'dominated the headlines'. There are credible but largely apocryphal stories about organizations [mostly fairly small public bodies - hmmm, strange that] being coerced into paying a few thousand dollars each to decrypt their data. But as to whether ransomware "exploded" to a '$1bn problem', no we won't go that far, not yet anyway: let's wait for at least one more data point before graphing the trend, eh? Let's see how it turns out.

Security innovation awareness

Progress!  The staff seminar quickly spawned a management seminar with a few content changes to suit a different audience with different interests and concerns.

We've picked up on cloud computing, for example, an innovation with strong security implications. Cloud computing is of limited relevance to staff but is of interest to managers in organizations that have it in use already, whether or not they explicitly sanctioned it as a corporate initiative. Given the headlong rush to get into the cloud, are the associated information risks and opportunities being professionally managed, alongside the technology, commercial and other aspects? Raising management's appreciation of the typical concerns in this area is a valuable outcome of the awareness program, compared to the alternative i.e. ignorance, perhaps even reckless abandon!

The commercial aspects of innovation are also of direct interest to management. This includes the proliferation of dark-side services supporting criminal enterprise, such as money laundering, botnet rental and so on. So long as ransomware, identity theft, intellectual property theft and online bank heists continue making cybercriminals rich, they can afford to continue investing in the dark side services and infrastructure - in other words the threats and hence the risks are increasing.

Given the title, a newly published IT vendor report on 'securing innovation' looked promising. It provided a couple of useful quotes although, as is so often the way, a strong bias towards the vendor's own products and a myopic focus on IT rather than information, meant we couldn't make full use of it.

We're also making progress on the professionals' seminar. Blockchain and DevOps are two tech innovations to bring up there - just a high level slide on each. After all, this is 'just' security awareness, not tech training!

Although with just a week left until the end of the month there aren't many dark as in completed ticks on the tick-sheet above, most items are now in progress. The 3 sets of seminar slides and speaker notes will form the basis for the accompanying briefing papers, for example, with extra diagrams, press clippings and a few more words of explanation here and there. 

WIP

Nothing much to say today - we're too busy working on the security innovation awareness materials.

The staff seminar is done, and is
now in the process of being adapted/extended for
the management and
professional seminars.

The speaker notes also form
the basis of the accompanying
briefing papers/handouts.

Email security

As part of the background research for next month's awareness module on 'email and messaging security', I figured it is about time I got to grips with secure email. You'd have thought I'd be on top of it already, given that my career started nearly 30 years ago with email system administration and then information security! Truth is, I've managed OK without it until now. The few times I have really needed to send secure email, I have either used a secure webmail facility provided by the client or achieved the same ends using AES-encrypted WinZip archives, sharing the secret password off-line. Now, I find myself needing to communicate securely with a company that doesn't offer secure webmail but does (allegedly) use PGP for secure email. Hmmm.

Today I re-discovered a key reason for not bothering with secure email - the very same reason that has caused me to try, fail and give up previously. The process of configuring MS Outlook - a commonplace, mainstream email application - for S/MIME is convoluted and inadequately-explained. For starters, what is S/MIME anyway? Does it interoperate with PGP? Despite reading a bit about it, I'm not entirely sure at this point although I suspect not. Some of the information online might as well have been written by Greeks.  In Martian.

I found a website offering free email certificates ... except it didn't explain that Chrome won't install them properly: evidently we need to run Internet Explorer. There's not the feintest whiff of an error message to tell us the process failed. That's another hour of my life down the pan, chasing down Windows' certificate store and yet failing to persuade Outlook to install and use a perfectly serviceable certificate from the store. Re-running the download install through IE worked fine though (after I had also figured out how to revoke the first certificate since it wouldn't let me have two for the same email address, oh no). I wish I had a clue what it was doing automagically in the background that I couldn't do manually. Some sort of hocus pocus going on.

We're clearly a long way from simple secure email, despite the common refrain that the process really ought to be made easier and more widely accessible. My cynical mind wonders if certain 'agencies' might be actively frustrating attempts to simplify and so spread secure email more widely ... and while I would understand their reasons, I doubt I could be persuaded that it is in the public interest to allow the authorities to continue snooping on all our emails willy-nilly. So I guess our next awareness module has a public service objective.

Innovation awareness

After a weekend on the farm, I'm back to the day-job, preparing April's awareness module on 'security innovation'.

The scope of this module is becoming clearer day-by-day. Two perspectives, in particular, stand out because of their relevance to information risk and security. Here's a scope/introductory slide from the staff seminar:

First there's the invention and creativity angle, including the creation, exploitation and protection of intellectual property. We have covered Intellectual Property Rights several times already so we could dip into the library of content for something suitable to repurpose this month. However I brought up patent trolls a few days ago, a new topic that avoids regurgitating old content. We can refer to IPR in general terms without going into detail, then expand a little on patent trolls.

Secondly, there's the issue of both driving and responding to changes. Again, we've covered change management before so there may be general background stuff in our awareness library we can dust off. This time we're focusing specifically on risk and security changes involving or brought about by technology and social innovations, though, so here too we will be creating brand new content just for this module.

This is par for the course for us. None of the security awareness topics in our bulging portfolio is truly static although admittedly some are more mature than others. In practice, we always find novel perspectives to explore, even for the more stable ones - such as the annual malware topic spawning ransomware this year. Since the world has moved on since we last covered them, there are invariably new issues and incidents to report too. It keeps us on our toes and avoids the awareness materials becoming stale. 

Our monthly cycle was innovative when we launched it back in 2003. I've noticed a few other awareness suppliers toying with periodic updates from time to time since then, the periods ranging from 1 week to 1 year or more. Several produce regular newsletters with an assortment of current news, although most only cover tech "cybersecurity" issues and don't provide enough context or explanation for the general security awareness audience. It still feels right to me to focus on a different information risk and security-related topic every calendar month, and to take a deliberately broad perspective with unusual topics such as ... 'security innovation'. An added bonus is that it makes researching and preparing the materials more satisfying for those of us with a short attention span and perfectionist nature. Generally speaking, the last week of any month is a slog but the anticipation of a short break before moving on to the next topic motivates us to get the module finished and delivered.

Fencing in the sun

A sunny Sunday was my chance to repair an ancient 7 wire fence - so old in fact that it had become a 6 wire fence: the bottom wire ran on or in the ground and had largely corroded away. Full grown sheep can't limbo underneath it but their lambs do, becoming separated from their mums and soon expiring unless they find their way back in time for a feed. Meanwhile, the ewes generally wander off, seemingly oblivious to the pitiful bleating from the other side of the fence.

Last Spring, a fluffy newborn lamb slipped under the fence and promptly got entangled in a blackberry bush. Luckily Deborah heard the bleating and rescued her just in time. 

Naturally, we call her Bramble. 

She's doing fine and will soon have lambs of her own.

On days like today,
I love my office.

Coats off

A blog mentioning patent trolls reminded me that inventions may be patented, opening up several innovation-related information risks and opportunities. Hmmm, that's something else to bring up in the management stream this month - intellectual property rights protecting creative expression and innovation.

Meanwhile, there are sheep to shear and fences to mend. So long as the rain holds off, it's a good weekend for 'outside jobs' ...

Staff slides on security innovation

The staff awareness seminar slide deck on 'security innovation' is coming along nicely.  That image of two sectioned heads on the second slide will introduce the ongoing battle of wills between the white and black hats, in which innovation and creativity plays a central role on both sides. We've incorporated a selection of innovation-related images already, and we'll be adding real world examples (like that intimidating Reaper drone in slide 12) to illustrate and reinforce key points.

We're planning to say something towards the end about promising security innovations which means scanning the landscape for news of novel security products and services, innovative approaches to security and creative ways to address information risks. I have a couple in mind already but further suggestions are always welcome. While it would be nice to be able to explain cutting-edge security advances such as quantum crypto, I'm keen to find simpler, more easily understood examples for the general staff awareness audience. With 15 slides and a fair amount of ground to cover already, I can picture those drooping eyes and shuffles.

I'm tempted to tack-on a final slide posing a question about what's coming up on the black hat scene. Again I have a couple of vague possibilities in mind, although I'd prefer to leave them with the parting message that we really don't know what they are up to unless and until someone spots a novel tool, approach or whatever. I like the idea of giving the audience something stimulating to think and talk about as the seminar comes to an end, making the final 'afterthought' slide paradoxically the most valuable one in the deck. If the previous slides, the accompanying speaker notes (not shown here) and the presenter have done their job, it should be eye-catching, intriguing and yet self-explanatory. It's our little seed, planting thoughts in brains through a creative and innovative approach to security awareness.

St. Patrick's day light show

I've said quite a lot about our monthly cycle. We find a month long enough to explore an information risk and security topic in some depth, and yet short enough to avoid terminal boredom for us and our clients' awareness audiences.

There are two longer cycles too.  A few topics get brought up every year because strong security awareness is such an important and valuable control in the obvious areas such as:

• Malware
• Social engineering 
• Physical security

Other awareness topics are dusted off and refreshed every so often too - things such as:

• Securing portable IT devices
• Cryptography including authentication and access control
• Privacy
• Fraud
• Patching, version control, change management and so on. 

Although it's not as critical for everyone to know all about them, a general appreciation is beneficial so these get updated every few years.

As well as covering specific topics, there are more fundamental themes such as:

• Information risk and security (of course!)
• Governance
• Compliance
• Control
• Responsibility and accountability
• Management, oversight, monitoring and directing information risk and security
• Business
• Technology
• Information

Occasionally we highlight and explore those individual themes in isolation, although normally they are just an integral part of the monthly modules. Like threads woven through all the materials, the themes link successive modules together into a coherent mesh, a fabric strip rather than a random assortment of fragments. They help us 'tell the story' of information security.

The long-term thematic approach is a convenient way to handle the inevitable tangents and asides, plus cross-over between many topics. "Phishing", for instance, involves social engineering, technology, authentication, malware, Internet security, fraud and more. In an awareness piece on phishing, we don't necessarily need to go into depth on those other aspects since they have been and will again be covered, at other times. It's OK to bring them up briefly and move on. In the same way later on, a briefing or seminar about, say, social engineering might casually mention phishing without having to stop and explain it.

I'll end today by mentioning that not everything we do is cyclical or repetitive. Part of the fun in this game involves spotting and responding to changes - new threats, new modes of attack, new incidents, new challenges, new wrinkles, new tricks ... which finally brings me back on track to talk about April's awareness topic, security innovation. Must press on: awareness stuff to prepare before digging out a green teeshirt and the obligatory pint of Guinness.

May all your information risks be in the green today.  Slainte!

The magic of 7

Distracted by some amusing mathematically inspired comments from friends relating to Pi-day, I've stumbled across an infamous article about the magic number 7, originally published back in 1956 by George A. Miller, a cognitive psychologist.

Not being a cognitive psychologist myself, I skimmed briefly through it ... but the final few words caught my eye: George said "I suspect that it [meaning the obsession with 7] is only a pernicious, Pythagorean coincidence". What a nice way to put it! 

If you too are not a cognitive psychologist, you might find the Wikipedia version more accessible.

It is often suggested that we should stick to 7 things when presenting in the sense that 7 is allegedly the most points we should expect an audience to appreciate and hopefully remember. It could be called an urban legend. Some people say the magic number is 5 or 3 or 10 ... so I guess the more general version is is "a small number" or "a handful" of things, and that's fine by me (assuming an audience lacking in savants anyway!). 

That's not all though. There's more to this than the number of things, which usually equates to the number of bullet points on a slide or a paragraph in a document. Their complexity, length and content all matter, along with things such as the font, font size, color and contrast. 

Or to put that another way, aside from the number of items, the chracteristics that matter are:

• Their complexity
• Their length
• Their content
• Font and font size
• Color and contrast

If you've ever suffered through presentations or reports prepared and presented by inept presenters (and who hasn't?!), you'll know what I mean. Anything can be reduced to a handful of bullet points, a simple list format, but that's not necessarily a good idea. Like all things, bullets are best in moderation.

Sometimes, for instance, it is important, necessary or worthwhile to expand on the detail and explore the subject in more depth than is feasible or sensible for bullet point lists. In place of this very paragraph, I could have added another bullet to that list above, perhaps something like "Level of detail" or "Depth" ... but it's not immediately obvious so I prefer to explain it. Looking back, several of those bullet points above are distinctly ambiguous. What did I really mean by "Their complexity"? Complexity in what sense?

Already we see that the urban legend about sticking to "about 7 points" is decidedly lame and potentially misleading. 

It gets worse still if you accept that the context is at least as important as the content. A novice presenter who flatly reads out the words on the slide is adding no value, destroying it in fact since the tedious monologue is distracting: the audience is generally better-off reading and contemplating the words without the presenter's drone. The opposite applies too: if the presenter goes off at a tangent, that creates a dissonance between the spoken and written words which again can be distracting and confusing.

So far I've only been blabbering on about the style or manner of the communication. Its content is also an important factor, and the audience another. It's easy to cover something simply and superficially with a few bullet points. Not so easy to cover quantum cryptography, for a topical example. Depending on the specific audience, they may: 

• Not know the term 'quantum cryptography' at all, having never heard it before
• Have a vague idea about it, a crude understanding, incomplete and possibly inaccurate
• Know it quite well
• Be experts, quite possibly more expert than the presenter.

This whole blog piece may be quite narrow and obscure, but I'm getting at some of the factors we take into consideration when preparing what we hope are effective and valuable security awareness materials. There are other factors too, and maybe one day I will pick up and continue this thread. If you'd like that (or equally if not!), please comment below. What aspects would you like me to go further into? What are your challenges in this area? What advice would you offer to those preparing security awareness content?

PS  A fair seven-sided die would be a tricky design challenge.

The Ides of March

A throwaway comment towards the end of yesterday's blog sent me scurrying down a rabbit hole, well more of a warren really. What is DevOps and how does it relate to security innovation?

In short, as I understand it, DevOps involves integrating and tooling-up development and operations teams so they collaborate in a more effective and efficient way, thus reducing the cycle time between conventional software releases while also delivering better, more resilient and more manageable IT systems.

Sounds great, right? 

Oh but hang on a moment. Haven't we seen this kind of thing before? Isn't DevOps just another movement, a buzzword not unlike Agile Waterfall Cloud Lean ITIL and more ... none of which turned out to be the Ultimate Solutions their vocal proponents enthusiastically implied or claimed.

They did however deliver philosophies, strategies, elements, approaches and tools that proved somewhat useful and valuable. Truth is they all have their strengths and weaknesses, opportunities and threats, promises and disappointments. DevOps too.

The information risk and security side of DevOps intrigues me. At face value, minor incremental changes appear less threatening than revolutionary and potentially disruptive major releases, especially if the supporting infrastructure, tools and processes facilitate things such as efficent regression testing. However, some information risks may accumulate, some may change in severity and/or probability, and entirely new risks may appear as a consequence of the approach - for example there's the risk of being completely overtaken by a radically different approach or a dramatic change in the market. As a former geneticist, I see parallels here to evolution, including theories such as Lamarkism and punctuated equilibrium. The common factor is that they are theories based around models that attempt to describe relatively complex and incompletely understood activities in relatively simple cause-and-effect mechanistic ways. The difference is that scientific theories are (a) explicitly formulated in a way that is testable, and (b) actively tested, competently, by teams of professional scientists steeped in the field. Admittedly scientists also get passionately committed to their pet theories, some to the point that their human biases cloud or devalue the science. As a global community, however, bad science gets identified and outed, and the field moves ahead by consensus. Integrity overrides both confidentiality and availability.

Things are markedly different in IT. Fads (such as DevOps) are fads largely because of vested commercial interests. Various people and companies hope to make their fame and fortune through each of these fads, feeding off the seemingly insatiable desire for the Ultimate Solution. I don't. I find the very notion of searching for the Answer to the Ultimate Question of Life, The Universe and Everything just as laughable as Douglas Adams did.

So, in keeping with the Ides of March theme, I predict gloom and despondency for anyone who honestly believes DevOps is all they will ever need. Although it may not be pure snake oil, it has the hallmarks of yet another commercially-driven IT fad having its day in the limelight. 

[/rant]

Rapid incremental or evolutionary change has appeal in other domains such as security awareness and security standards development. Do I even dare to hope that the committee behind the ISO27k standards might one day consider reducing its cycle time to approach the rate of evolution in this field? Could DevOps work its magic there? Somehow I doubt it. We are doomed, doomed I tell you, destined to the same fate as the dinosaurs. Obsolescence is so last year.

Pi day

The awareness messages relating to 'security innovation' are slowly crystallizing, prompted in part by the thinking behind this month's evolving risk-control spectrum diagram:

The diagram shows two overlapping bands of risk:

• On the one hand, failing to adopt and exploit novel technologies or other forms of control constitutes missed opportunities to the organization, depending on how often and to what extent that occurs.   
• On the other hand, pressing ahead too quickly with immature technologies etc. increases the risks of failures and costs arising.

Both those risks can be controlled through suitable strategies, policies and approaches concerning the management of information risks. A highly risk-averse organization is likely to be conservative in its choice of security technologies, for instance. While it may avoid the dangers of getting into unfamiliar territory, it may also be missing out on viable business opportunities and failing to address information risks. Conversely, a more gung-ho management might take advantage of new opportunities (such as quantum cryptography) but suffer as a result of unanticipated problems and maybe outright failures of novel approaches since beyond the 'leading edge' lies the 'bleeding edge'. 

I'm hinting that organizations should probably take a balanced, considered approach, hopefully avoiding or at least being prepared for and mitigating those extremes.

There's another issue though, relating to those high-end information risks that can blind-side an unprepared, blinkered or overly conservative organization. I'm talking here about novel threats or exploits, perhaps entirely new classes or modes of attack or significant but as yet unrecognized vulnerabilities and impacts. If the organization doesn't spot and respond appropriately and promptly to them, that could potentially be a catastrophic failure of information risk management.

In the course of using and expanding upon that and other diagrams in the awareness briefings and seminar slide-decks, we often make changes to the diagrams - in other words this is an iterative development process - DevOps you might say ... which fortuitously reminds me of another security innovation theme to bring up in this month's awareness module.

PS  Happy pi day. I hope you enjoy the tangents.

Creative innovation

We've enjoyed a weekend off, worn out by the effort of coming up with a bunch of ideas for the next set of security awareness posters last Friday. 

Trust me, it's not easy to design six new posters every month. How would you picture "security innovation"? Seriously, think about that for a moment.*

If you suggested a Google image search, go straight to the back of the class. Copying someone else's design without their permission would be intellectual property theft, and even plagiarising one or using something 'for inspiration' is not exactly ethical. 

Besides which, it's not very innovative or creative, is it? Repackaging someone else's content is like shoving old shoes in a new box. They are still old shoes.

This issue crops up repeatedly in relation to awareness and training materials in general. Google can help us find plenty of content, no problem, but despite being 'free' it carries a cost:

• Unless it has been explicitly released by its owner into the public domain or is past its copyright protection period, it is probably subject to legal restrictions on copying and use, other than "fair use" as defined in law;
• Even if it is not covered by copyright, there are ethical considerations ... and after all ethics and compliance are two of the very topics that information security awareness is meant to promote, not denigrate;
• Much of it is old/out of date, meaning 'more than a few months old' in this field;
• It was generally written for specific purposes that may not match ours (e.g. for advertising);
• It was written by a bunch of different people, with different interests, writing styles, knowledge and experience;
• Much of it is minimally researched and, frankly, badly written. 

Those final two points are of concern in any field as complex and technical as ours. Papers written by students towards their class work or exams, for instance, can be fantastic but those are quite exceptional, not the rule. Most are terribly naive and idealistic, often stilted and written in broken English, regurgitating class notes. The best do at least properly cite useful references, while the worst are plagiarised, biased and/or plain junk.

* If you have six good ideas, plus a couple of extras in case those six don't work out graphically in practice, maybe you should put them into practice ... or share them with us and together we can make them happen. Better still, talk to me about next month's awareness topic: what graphic images spring to mind in relation to 'email and messaging security'? How would you express all that goes with it, preferably in a simple, striking style that says something meaningful, motivational and inspirational? Oh and by the way, your designs need to be feasible for our hard-working graphics team to assemble, quickly.

WIP

Well here we are on the tenth of the month already with April's awareness module looking disappointingly sparse at this point:

Nothing is actually finished as yet (no black ticks) but there are several items on the go and the thinking is in full swing.

The 'train the trainer' piece is the furthest advanced, thanks to two parts. The scope and purpose of the awareness module is taking shape (looks like the name of the module might be "Security innovation"), and we've come up with some creative and innovative ideas for security awareness - quite a few in fact. After furiously writing a page of bullet points I had to take a break in order to get on with other things.

Those 'other things' included discussing some potential ISO27k consulting work with a new client and trying to find out what happened to a previous metrics consulting/training proposal that plummeted into the deep dark depths of the NZ government official tendering process. [Conveniently, the NZ government is currently running a supplier survey about their tendering process, giving me the chance to get a few things off my chest - albeit anonymously because I'm a coward still hoping to get more business from them!]

I've also been thinking, blogging about and discussing the latest revelations on Wikileaks about the CIA's hacking tools. Big Brother's cloak of secrecy is looking distinctly menacing at this time. This is an interesting and vital societal concern that's clearly in the news headlines right now making it a strong candidate for a future security awareness module ... except that we've done a fair bit on and around this topic already, not least as a result of the Snowden debacle. There's a veritable swarm of possible awareness topics floating around the headlines, including governance, accountability, oversight, Big Brother, hacking, privacy, compliance, risk, cybersecurity and more, so it shouldn't be hard to find something relevant that we haven't covered for a while if ever. Responsible disclosure springs to mind, along with whistleblowing, so I'll pencil that into the topic diary (actually a whiteboard in the office).

Meanwhile, our research on security innovation continues apace. We've come across a fascinating insight into the systematic process of hackers finding zero-day technical vulnerabilities in a particular model of webcam. It turns out the cheap Chinese thing is bristling with design flaws and/or bugs that affect a huge number of webcams built around the same OEM core. Who'd have thought it, eh? Worse still, there are little hints that the webcam might perhaps have been pre-infected with botware at the factory, perhaps deliberately. Anyway, it is a handy situation to discuss in all three streams of the security innovation module, including a case study. The story is too technical, complex and obscure to use as-is but we ought to be able to simplify and generalize the case to stimulate a lively discussion around privacy, security and new technology, making it a winner for security awareness purposes.

Sir Veillance

Aside from the obvious effects on the agency and the US government, today's Wikileaks disclosure concerning the CIA's capabilities to hack various technologies is a global concern for our “industry”, or rather our profession, our craft, taking in the information risk, security and related fields (such as business continuity, privacy and compliance) as a whole. 

At a high level, major incidents reflect badly on all of us and are embarrassing … and yet scratching beneath the surface things invariably get more complex and convoluted in practice. There are reasons why things happened and were not avoided, identified, blocked or mitigated. We are where we are in the industry as a result of all that has gone before, including long-term cumulative effects of a gazillion decisions and events and developments along the way, not all of which were ours (e.g. cloud computing, BYOD and IoT/IIoT are three classic examples of areas where information security pros are openly concerned about the information risks, but our voices are drown out by the incessant demand for shiny new toys). Our is and will always be a developing, evolving field. Maturity is the journey not the end point. We can always do better.

One more thing to bear in mind is the inherent imbalance: we in the industry have to defend all points at once, while our adversaries need only find and exploit individual weaknesses to gain a foothold, and then perhaps seize the advantage. This is not an excuse but an acknowledgement that in the long run we are “bound” to fail from time to time, hence dealing with incidents large and small is an inevitable and important part of our brief. 

Oh and there’s another: Big Brother is a genuine concern in this sphere. Official secrecy is dark cloak that covers all manner of goings-on, not all legitimate or in the best interests of society. Some “incidents” are not what they appear: the shocking part of some incidents stems from the disclosure itself rather than what was disclosed.

The nice thing about major, well-publicised incidents (such as Yahoo!'s and the Sony hack) is the insight they give us all, enabling us to explore those difficult questions such as “Could it have happened to us?” and “What makes us confident that we’d be any better off if it did?”. So, in a strange way, incidents are good. They are learning and improvement opportunities, at least. 

The aviation industry’s approach to safety is, for me, a shining example of how we could deal with this issue globally through our industry, partly through the professional/trade bodies, partly through standards and agreements, partly through international collaboration, but mostly through a widespread acceptance among us information security professionals that we share common interests. We all suffer when one of our number gets hit, hence we all benefit by developing and sharing good security practices.

A significant milestone on the road to aviation-style global collaboration and information sharing is when organizations that have suffered major incidents honestly admit their faults and fully disclose what went wrong. We’re sort of at that point right now, partly through privacy breach disclosures, partly through investigative journalism and whistleblowers. We still have an issue, I believe, with delayed disclosures, with cover-ups and secrecy, and with 'challenged integrity' in general. We're not getting the whole truth, for sure. Meanwhile, organizations such as CERT are doing an excellent job of lining things up.

A bit further down the track, I foresee a rôle for itinerant teams of independent experts with their grab-backs pre-packed, ready to fly in and get stuck in to dealing with the immediate aftermath of major incidents, drawing out the general learning points, sharing and extending good practices for the benefit of the global infosec community. 

I look forward to the day that changes to IT systems and information processes are, as a rule, (a) properly specified in a true engineering sense; (b) professionally developed, tested and proven, using certified materials, methods, processes, tools and workers; (c) certified competently and independently; (d) implemented formally; (e) documented, managed and maintained formally, in perpetuity.

So, that's a security innovation I would be glad to support.

Innovative awareness

The next awareness topic is security innovation so today I've been thinking up innovative approaches for security awareness to include in the module's awareness activities paper.

"When the classic strategies aren’t delivering, you send in the guerrillas. They’re the extra-special forces – the ones that implement killer strategies to turn the tide and defeat the enemy."  WordStream

Guerrilla and viral marketing suggest a deliberately unconventional approach to security awareness. Instead of overtly promoting information security, privacy, compliance and related matters as usual, awareness messages may be circulated covertly, passed-on discreetly by word of mouth and social media. Think best-kept-secret, not megaphone marketing. Branded suck-blankets and comforters rather than ordinary security posters. 

Eye-catching visual jokes (think Escher, Heath-Robinson or Dali) may spark the imagination, making people laugh and think. Other possible hooks aside from art are alliteration and allegory, paradoxes and conundrums, prose and poems, jingles and tag-lines. 

You can seed the viral process to get it started, for example passing content to selected awareness contacts or leaving small quantities of artwork to be discovered in offices, coffee areas, meeting rooms, stationery stores or similar dark corners of the corporate intranet. 

Prize draws, tickets to social events and other "free" giveaways stimulate more interest, while artificially limiting the number of rewards or the promotional period prompts people to respond quickly. [Hinson tip: you can always release further rewards or extend the period 'due to popular demand', a common technique in retailing. People are strangely drawn to passing bandwagons and fads.]

Another unconventional awareness approach involves using intrigue and doubt to generate interest, perhaps even spreading the exact opposite of whatever message you mean to put across in the sense of playing the devil’s advocate. An example is to turn risk management on its head: instead of asking ‘What do we need to do to minimize information risk?’, try ‘How much information risk can we afford to take?’ or ‘How close to the line can we push it?’.

Yet another creative technique is to take your adversaries' perspectives. Paint a picture of the organization in the eyes of a social engineer, hacker, fraudster or industrial spy, emphasizing the vulnerabilities. Their opportunities are your risks. 

'Painting a picture' itself suggests organizing some sort of creative art competition for employees and their families. Perhaps collaborate with local schools or an art college to come up with an information security-related brief (such as that adversarial perspective thing) and prizes or rewards - which may be as simple as exhibiting a selection of contributed artworks on the premises or online.

'Online' ... hmmmm ... take a long hard look at your Security Zone or whatever you call your intranet site for information security. It does have a name, right, and a logo, a professional design, a good structure and plenty of valuable, fresh content? 

Oh and a blog. Don't forget to keep your blog up to date. Floss it regularly to avoid decay. When was the last time anything was posted? [Hint: if you have to think hard or look it up, the answer is staring you in the face.]

You might already have links to the Security Zone from other intranet pages, perhaps even little advertisements or banners - plenty more opportunities to get creative here. [Hinson tip: which of these two links are likely to generate more clicks, "Click here to visit Information Security's intranet pages" or "Ten top tips to tackle Trojans"?]

In product marketing, distinctive designs and retail packaging are very much part of the mix ... so think about how your awareness content is designed, presented and delivered. If your branding is limited to a lame logo, this is your cue to free your mind and think more creatively about how you are packaging your stuff. 

Stimulate demand for security awareness by finding out what people actually want before attempting to satisfy the demand. Yes, ask them! Run a survey. Give them options/choices and solicit ideas. Interview people. Be careful with this though: if you get a clear direction from your audiences, you had better be able to deliver accordingly, otherwise seeking opinions and suggestions may backfire. Be prepared to juggle your finite resources between potentially unrealistic or conflicting demands and competing priorities. [Hinson tip: demonstrably strong demand and support from employees, especially influential audience groups, can give your next budget proposal a powerful boost.]

By the way, many of these suggestions come from the world of marketing, promotion and advertising, so why not hook up with your organization's marketing professionals? Get their help and creative input, perhaps collaborate on a 'marketing plan for information security' ... and make them more aware of information security in the process (free bonus!).