Spinning the security awareness yarn

The number and variety of information risks relating to email and inter-person messaging is both a challenge and an opportunity for the awareness program. On the one hand, there's a lot to cover hence no shortage of things to say. On the other hand, the coverage tends to be 'bitty' and quite superficial because we don't have time to go into everything in detail.  

We tackle this in several ways:

1. We mention a wide variety of issues illustrating the risk landscape. Diagrams such as the ARA graphic and mind maps are helpful, presenting lots of information in structured, visually-appealing and thought-provoking ways. 
   
   
2. We use recent/current incidents, risks, controls and news concerning the topic to illustrate and draw out the key points as they stand today. As well as being topical, they turn the spotlight towards present and future issues rather than dwelling on stale news. We're running on Internet time here: yesterday is so last week. At the same time, we are where we are because of our history and the past can teach us a lot.
   
   
3. Email/messaging security issues such as phishing and malware are significant enough to warrant in-depth coverage in separate, dedicated awareness modules, so we only need skim them in this module. This approach avoids us going off-track along tangents. They are important issue, though, so we won't totally disregard them! 
   
   
4. We identify and exploit themes to lead our audiences on planned routes through the confusing risk landscape. The idea is two-fold: as well as spinning coherent, interesting yarns within the present module, we're also continually reinforcing the fundamentals of information risk and security as threads linking all the modules and topics.
   
   
5. The content is only part of our customers' security awareness programs (hopefully!): through the PowerPoint speaker notes, briefing papers and train-the-trainer guide, we actively encourage our customers' security awareness people to engage and interact with their audiences, bringing the materials to life in the specific business contexts of their organizations. 

Story-telling is a powerful yet ancient information-sharing and educational technique, stretching back millennia to cave art and mythology such as the Trojan horse. Children learn about stuff through bedtime stories told and re-told by parents and peers. As we grow older, most of us shift towards non-fiction but fantasy and science-fiction remain as popular as, say, the 6 o'clock news and factual documentaries - and even they tell stories.