Security awareness topics

Way back in the 1990's when I started doing security awareness, the widely held view and generally accepted method (best practice?) was to run periodic 'IT security awareness and training sessions' that would typically:

• Be planned as employee communications, corporate events, implying a mechanism for management to communicate (broadcast) stuff to staff;
• Force as many "users" as possible (as in IT users, not even all employees or workers) together in a large meeting room, roughly once a year;
• Last for an hour, or at most three;
• Cover several topics, generally whatever happened to qualify as 'issues' for the organization or management's 'key concerns' at the time;
• Lecture at people, mostly describing policies and instructions; 
• Offer precious little practical advice or guidance other than dispensing dire warnings about what would happen in the case of nonconformity (suggesting their primary purpose, although it was seldom acknowledged or stated openly);
• Be dull as dishwater - deadly serious, erudite, matter-of-fact and largely devoid of emotional appeal, let alone fun and engagement;
• Be openly despised by everybody (including the nascent information security profession) and actively avoided by "users" if at all possible.

They were either unmeasured or had lame metrics such as purely subjective and patently biased impressions of 'how well that went' expressed informally by those running the session (seldom were the "users" even asked!), or a simple estimate of the number of "users" physically present. Even the obvious derivative metrics such as (number present divided by number invited) or (number present divided by total number of "users") or (number present times duration of session times average employee cost) were uncommon, perhaps because they made such depressing reading!

Having organized and run a couple of awareness sessions like that myself, I came to my senses. It simply wasn't working out in practice, not cost-effective at all, so the whole approach deserved a re-think which meant a conscious break with tradition.

The first change was to stop trying to cover a whole bunch of stuff in the one annual session.  I can't understand why anyone (including me!) ever thought that was a sensible approach in the first place, other than the fact that, as I said, it was the generally accepted practice of the day. It was a meme, propagated by several well-meaning but short-sighted people through standards, methods and articles about security awareness and training. Instead, we decided to deal with particular issues as they arose during the year, rather than piling them up and roasting the whole lot in one go (a bit like bonfire night). 

I distinctly remember designing little security awareness things - simple messages or instructions expressed in an active voice. One of the issues we tackled through awareness was how to use the write-protect tab on 3½" floppy diskettes (which is a clue to the date!). A tiny annotated diagram fitted neatly onto stickers, adjacent to the write-protect tab, leaving room for three other things: (1) a lined area for the "user" to write a label for the disk; (2) a message about checking the disk for viruses; and (3) our security awareness program logo. The logo may sound trivial but was used to bind all the security awareness program materials together, in other words we were using branding, even before I really knew what that meant!

So, that was one of the awareness topics, but what else is there? Actually, it's not hard at all to come up with others. We have just covered our 60th security awareness topic and we're working another new one this month. For further inspiration, I highly recommend Rebecca Herold's excellent book "Managing an Information Security and Privacy Awareness and Training Program". 

An obvious approach is to decompose 'the whole domain' (whatever that actually encompasses in your organization) into bite-sized chunks, then work through them, perhaps in a pre-planned sequence that makes sense (e.g. start with the basics then move on to more advanced or involved topics). The approach we favor, however, is more flexible: we plan just three topics ahead, and even those three may change somewhat as the research and development occurs, for example if something new and interesting pops up (such as ransomware). We also repeat selected 'core topics' once a year: these are the basics mentioned a moment ago, things like malware, social engineering and physical security. Repetition means nobody escapes the basics if they hang around for at least a year.

In our case, 'bite-sized' means a month's worth of awareness content. We figure a month is long enough to delve into some depth for the awareness audiences that need it (not all do), and yet short enough hopefully to hold everyone's attention before moving on to the next topic.