Creative security awareness

We're slaving away on the 'malware update' security awareness and training module for March. Malware is such a common and widespread issue that we cover it every year, making it potentially tedious and dull. People soon get bored by the same old notices - not exactly ideal for awareness and training purposes. 

Simply tarting-up and repackaging malware awareness materials we have delivered previously would be relatively easy for us but is not sufficient. Our subscribers deserve more! Aside from needing to reflect today's malware threats and current security approaches, we must find new angles and inject new content each time in order to spark imaginations and engage the audiences, again and again. 

Luckily (in a way), malware is a writhing vipers' pit, constantly morphing as the VXers and antivirus pro's do battle on a daily basis. So what's new this year?

The rapid evolution of malware risks is a story worth telling, but how can we actually do that in practice? We favor a strongly visual approach using an animated sequence of Probability Impact Graphs to explain, year-by-year, how specific malware risks have emerged, grown and then mostly faded away as the world gets on top of them. 

It would be great to have the foresight to predict next year's malware PIG, projecting forward from to today's but that's tricky, even for malware experts (which I'm not). The best I can do is pick out a few trends that illustrate the kinds of things that we might be facing over the remainder of 2019 ... and perhaps make the point that uncertainty is the very essence of 'risk'. If we knew exactly what to expect, we could of course prepare for it and better yet avoid or prevent it happening: we don't, hence we can't, hence we need to be ready for anything, which point links neatly back to January's awareness topic of resilience and business continuity, and forward to April's on incident detection. 

And so our cunning strategic plan continues to bear fruit. Although we cover different topics every month, they are all part of information security, all in and around the same core area. The approach is quite deliberate: we're poking at the same blob from different directions, exposing and exploring different aspects in order to help our audiences appreciate the whole thing, whilst at the same time avoiding information overload (trying to cover it all at once) and boredom (the blinkered view). Sometimes we take a step back for more of an overview, occasionally we dive deeper into some particular aspect that catches our attention and hopefully intrigues our customers, especially those with relatively mature awareness and training programs. Advanced topics tend to be quite narrow in scope, but even with those we make a conscious effort to link them into the broader context. 

Key words such as 'information', 'risk', 'security', 'control', 'governance' and 'compliance' inevitably crop up in almost every module. Talking of which, we've come up with a new style of awareness material for March, a malware encyclopedia derived from our information security glossary. The full glossary is a substantial piece of work, over 300 pages long, a whole book's worth of content. It's a fantastic reference source for professionals and specialists working in the field, so good in fact that we use it ourselves since remembering all the fine details on more than 2,000 information security terms is beyond us.

I'll have more to say about the encyclopedia tomorrow. For now, must press on, lots to do.