A few hours ahead of schedule, we've just sent customers August's package of security awareness materials covering cyberinsurance - a new field, a novel awareness subject, and the 62 nd topic in our bulging portfolio. Cyber risk is an increasingly significant concern to organizations that are critically reliant on IT systems, networks and data ... and can you think of any that are not critically reliant?  Aside from the direct, immediate impacts (losses and costs) and effects on business systems, networks and data, cyber incidents may have devastating business consequences if supply chains, perhaps even whole industries and nations are affected. The risk extends throughout and beyond the corporation. Arguably the most effective way to reduce cyber risk is to avoid risky business activities altogether … but naturally that means forgoing the business benefits of those activities.  It's not even possible in some cases. The next best option is to mitigate or reduce cyber risk...

Despite the looming end-of-month deadline, we managed a few hours off this weekend to visit friends across the bay, passing this little threesome en route,  the proud mum with her newborn daughter and son enjoying a bright and sunny but bitterly cold NZ day, so cold in fact that our water pipe froze this morning. Think of us as you Northerners head-off to the beach for your summer vacations. We're fine, really, we're OK. We have thick woolly coats. The cyberinsurance awareness module is virtually finished, with just the proofreading and any final corrections left. I'll package and publish it for customers tomorrow, updating the website and this blog with information about the new materials - more than 30 items and 60 Mb of brand new awareness content, on a cutting-edge security awareness topic. 

As we head inexorably towards Spring, it's peak lambing season down here in New Zealand.   We have three woolly bundles huddled down in the paddock already, their little knees knocking whenever a cold Southerly blows in from the Antarctic.   The remaining heavily-pregnant ewes have been doing their breathing exercises for weeks, waddling laboriously around and complaining about their backs. Their bags are packed, the route to the birthing suite laid out and well-practiced. Meanwhile the rams can't settle, frequently checking their mobiles for The Call. Having missed prenatal classes, they are somewhat perplexed at the activity and noise just the other side of the fence ...

A qualitative R isk A nalysis typically involves holding one or more ‘RA workshops’, bringing together a bunch of experts in risk (including but ideally not just information risk), information security, compliance, IT, internal audit and the business (concerned managers, business continuity people) etc. with a competent facilitator (again, ideally someone outgoing with a background in information risk, possibly just a brilliant facilitator with an interest in making it happen and a successful record!) to organize and lead the session/s.   Here are my hints on organizing and running RA workshop session/s (based on my personal experience and prejudices: your approach will vary!): Do some preparatory work before even booking or inviting people to the first event – in particular, consider the purpose. What do you expect the organization to get out of it? Why should people invest their valuable time by participating? Find out how other kinds of risks are analyzed/assess...

The day before yesterday I mentioned that we've been discussing terminology and definitions on a couple of professional forums. In exploring the first few terms of art, we've begun peeling back the layers to reveal more complexity beneath. Almost immediately, we realized the need to define some of the terms we were using in the initial definitions - the very reason that our glossary is sprinkled with hyperlinks. Discussing the core term, "risk", we've danced around various ways to express some combination of probability or frequency of occurrence and projected severity or magnitude of impact, losses and other adverse consequences.    "Information risk", then, relates to incidents involving or affecting information, hence "information security" involves measures to reduce or limit the number and/or the severity of incidents involving or affecting information ... which is markedly different to the common definition along the lines of 'protec...

By coincidence, two of the professional groups/discussion forums I frequent have both been discussing terminology today. It takes a particular personality type to enjoy discussing terminology, in depth. It requires both tight focus and a broad appreciation of the field. It helps to be well-read, since terms and concepts generally emerge from study or research that may be obscure. It helps also to be open-minded, since terminology is one of those things that fires-up experienced and knowledgeable colleagues: the passion is almost palpable! I'm not at all worried about being "put straight" by respected gray-beards - we all give as good as we get, part of the cut-n-thrust of professional discussion. Some might consider us anally-retentive.  On the other hand, the information content of language is critically dependent on the meanings, interpretations and implications of the words we use. In relatively new and complex areas such as information security, misunderstandings and ...

Yesterday I blogged about various information sources that keep me abreast of the field.  Right on cue, here's an excellent example: a shiny nugget I found on the Web today, following my nose from a Google search through several other references and links. Aon's latest Global Risk Management Survey  reports on an online survey completed by business people from 1,843 organizations globally at the end of 2016.  According to the 2017 report, the top 10 risks of most concern to management are: Damage to reputation/brand  Economic slowdown/slow recovery  Increasing competition  Regulatory/legislative changes Cyber crime/hacking/viruses/malicious codes  Failure to innovate/meet customer needs  Failure to attract or retain top talent  Business interruption  Political risk/uncertainties  Third party liability (inc. E&O) I've highlighted #5 - cyber risks - because they are so obviously relevant to information security awareness. Apparent...

A while back, this blog made it onto Feedspot's top 100 infosec blogs . Today, I finally got around to displaying our medal.  Thanks Feedspot. I'm honored  to be listed among such awesome company!  A couple of times lately, I've been asked how I manage to keep up with the field for our security awareness and consultancy services. Good question!  B logs are an excellent  source of information and inspiration. I track a bunch of blogs routinely through Blogger - roughly 40 on my reading list at the moment although some of those are in fact feeds aggregating or streaming an unknown number of individual blogs, and some relate to my hobbies and interests outside infosec. Yes, I have a life! The trick with blogs is to find and track the more creative bloggers who consistently generate good stuff, discarding those who only ever re-post other people's efforts, adding little if any value. [Yes, there are blogs in Feedspot's top-100 that I ought to be following: systemati...

We're plugging steadily away on August's awareness module on cyberinsurance, with nothing much to report today ... but I will just mention the word cloud. The clutter represents (figuratively) how cyberinsurance words appear to people who hear or read - but don't really understand - them.  Words that are relatively commonplace or more relevant to the topic are emphasized in a larger font size to stand out from the remainder but other than that it's obviously a jumble.  Helping people make sense of the topic is a general aim of awareness materials and programs of all kinds. We bring out structures and relationships within the topic area, and between this and other topics, forming a mesh or framework to aide understanding. As well as being a useful illustration for the module, the word cloud reminds us to be clear as we prepare the materials, taking our varied audiences into account. The complexity varies both from topic-to-topic and within any one topic area: a signific...

" The Trouble if Security Awareness Training Is Mainly a Penalty " is a well-written piece by Dan Lohrmann on the Government Technology website, expanding on several points relating to personal motivation and corporate culture. "I believe transforming the security culture still remains our greatest challenge as we head toward 2020. But how can we get to this elusive “culture of security” while balancing the cost, benefits and many other business priorities we face? As we think about people, processes and technology, what can we do to enable people and reduce risk over time?" One of the concepts or approaches Dan discusses is 'just in time training', a buzzword which implies doing away with general awareness activities in favor of something more focused on the specific needs of individuals. I believe that is known as 'training' (!) which certainly has value ... but still I maintain that awareness and training are complementary approaches - neither the...

To illustrate the need for cyberinsurance, we'll be using commonplace IT incidents that are easy to explain in August's awareness materials, being familiar to or readily understood by the target audiences. People who don't already know much about insurance may be surprised to learn that such incidents are not covered by traditional policies - at least not for certain, and not in full.  So that's something they will learn.  They will also learn that cyberinsurance is available, and (if properly specified) would cover those same incidents. Probably, and again not in full - another learning point. So aside from simply learning stuff, what if anything are people supposed to do differently  if August's security awareness effort is effective ? To answer that requires us to figure out what behavioral changes might be expected to occur in the organization. One way to think this through is to identify activities that should ideally start or increase, or should decrease or st...

A couple of days back I blogged about being more concise and focused in my writing. Today, with that in mind, I wrote the 'elevator pitch' on cyberinsurance. The whole point of the pitch is to get straight down to business so normally we manage to squeeze the key awareness message/s into about 150 words.  This month's pitch is just over 100 words (700 characters) and I'm wondering how far we could squeeze it if we really tried. It is feasible to sum up, say, cyberinsurance in a single tweet? Well, yes, I'm sure we could concoct a message of less than 141 characters ... but why? Are people honestly so snowed-under with information that they can only spare us a few brief seconds?  Advertisers face the same issue, hence those lame tag lines we see/hear so often (in NZ anyway) tacked on the end of the ads - things like "The real thing" and "I'm lovin' it". They've reduced the message to the point that virtually all meaning is lost. They h...

Cyberinsurance is one way to treat some cyber risks. Which ones? That disarmingly simple question has taken next month's management seminar down a couple of interesting avenues.   The first concerns the nature of cyber risks that one might reasonably expect to fall within the remit of cyberinsurance. Most don't. Insurers are particular about the kinds of risks they accept, actively managing their own risks and businesses. Second is the distinction between insurance customers' 'reasonable expectations' and the reality of how policy terms and conditions are actually interpreted by the insurance companies and industry, the legal profession including the courts, and the regulators.  We can explain the first issue quite easily using the PIGs (Probability Impact Graphs) that we provide in the awareness materials most months. Thanks to repeated prior exposure, we don't need to explain the PIG graphic to the audience laboriously, from first principles: we can leap direc...

At the weekend I drafted an article, circulated a link to the draft and invited feedback from a bunch of friends in one of the groups I belong to. We had been chatting quite animatedly about something of interest to the group for a good week or more, so I tried to capture the essence of the discussion, doing my best to reflect all perspectives and express the central points. Normally when I write stuff (such as this very blog) and circulate it asking for comment, I get next to no response. Often nothing at all. Nil. Nada. Zip. As if nobody even saw it, let alone had anything to say.  [... cue tumbleweed blowing through Gulch Creek to whistling wind ...]  This time, the exact opposite - loads of responses and plenty of interaction, almost too much in fact! At first I put it down to the fact that a couple of outspoken friends were a little upset at some of the things I wrote in the draft which, admittedly, were a bit edgy, contentious you could say but not intentionally inflamma...

We've started working on August's awareness module, covering cyberinsurance - a new security awareness topic. As with all cyber-things, our first task is to define what we mean - easier said than done, given that cyberinsurance is a neologism, a newly-coined term that means different things to different people and organizations (not least the insurers!). It is often used informally without much effort to clarify the meaning, or in distinctly biased and narrow terms by insurance companies promoting their particular products - smoke and mirrors maybe. For the module, we'll explain cyberinsurance in the business context of commercial insurance ... which means we also need to describe the various forms of commercial insurance, so I've been exploring the web to find out more about that. It's quite confusing so one of our tasks this month is to simplify and structure things for the awareness audiences. It looks as if management will be the primary audience for this topic....

A piece on LinkeDin set me thinking this morning - actually several pieces did but I shall spare you my cynicism, other than to say that the unbelievable din of superficial marketing tripe, me-me self-promotion and sycophantic back-slapping on LinkeDin all but drowns out the few grains of useful content.  But I digress. Bucking the trend,  IT Security Basics: A Basic IT Security Awareness Program for Your Employees  by Marc Krisjanous does what it says on the tin, laying out the bare bones of a basic approach to IT security awareness aimed at 'employees' (in other words staff, users, the hoi palloi ). Do have a read: Marc has some good ideas in there, a step or two up from the most naive approach that is a common starting point for awareness.  On the other hand, and with all due respect to Marc, it falls short of good practice ... which thought made me mull over the lifecycle, the stages through which awareness programs typically develop, in other words another mat...