The value of visuals
Whereas tangible information assets and physical security are different to the intangibles we normally address, the process of managing the information risks is essentially the same:
Variations on that diagram feature in many of our security awareness materials since the information risk management process is central to information security.
In June, we'll elaborate on it in the particular context of physical information assets and risks thereto, using typical assets, incidents and situations to help people understand what we're concerned about.
In subsequent modules, we'll pick out different aspects according to the monthly topic, and occasionally we'll zoom-in to explore certain parts of the process in more depth - risk identification, for instance, or incident management.
We may tweak the layout here and there but, over time, our awareness audiences gradually become familiar with the process - one of a handful of core concepts underpinning the field. These are themes linking individual information security awareness and training messages together into a coherent story or picture that plays out during the years.
The formatting/style of the process flow diagram is another aspect that we aim to keep reasonably consistent from month-to-month. Once you've been shown and talked through any one of them, other processes are easier to understand since they are described in familiar terms. We consistently use visual cues to highlight specific parts of the diagrams (e.g. the deep red "Incidents and close shaves" box) while red-amber-green coloring features in every module (e.g. in our Probability Impact Graphics).
Diagrams are an invaluable tool for awareness and training purposes, flexible and expressive, supplementing and enhancing the written and spoken word. For instance, those six numbered blobs on the diagram will link to a process description laying out, explaining and elaborating on the six key activities in words.
The diagrammatic approach is quite straightforward, obvious and natural but, in our experience, many information security and technology professionals struggle to prepare and utilize decent diagrams: they can sketch things out on paper but (short of scanning the scraps!) converting rough drawings into more presentable and useful formats is challenging. It takes time, effort and skills. Despite our decades of practice, we invest a lot of time and creative energy in both figuring out and presenting concepts, processes, relationships etc. visually every month because it pays off. Better still, it's fun.