Whereas usually our awareness and training modules focus in some depth on one of the 70 information security topics in our portfolio,  Information Security 101   is a broad but shallow module. It is designed to bring workers quickly up to speed on the basics of information risk and security during security induction courses, for periodic refresher training, or when launching an awareness program. As soon as a new worker arrives, they start absorbing and being assimilated into the corporate culture, picking up ‘the way we do things here’. Sensible organizations run orientation sessions to welcome newcomers and kick-start the cultural integration. InfoSec 101 covers common information risks ( e.g . malware) and information security controls ( e.g . antivirus). The materials are deliberately succinct, outlining key aspects without delving into the details. We’re not trying to tell workers everything about information risk and security all at once but to set them off on the righ...

The remaining items for the recycled  Information Security 101   module are falling rapidly into place. It will be a bumper delivery with fifty (yes, 50) files already in the bag. One of the regular end-of-month jobs involves matching up the awareness items - the files - with the contents listing and their descriptions in the train-the-trainer guide. Years back I came up with a simple numeric naming scheme to make it easier to get the files in order and link them with the listings. Good thing too: this afternoon I came across one listed item that I've decided to drop from the module, and about three additions that need to be listed and described. There's still a little time left before delivery to change things further and renumber, again, if we need to ... which emphasises the value of these final quality checks before packaging and despatch. Another part of the quality assurance process is to open and review the content of all the files. This is our last chance to spot speli...

Today I'm working on the  Information Security 101   awareness seminar for professionals, by which I mean workers with a professional interest in information security.  As with the staff and management seminars, the aim is to cover the basics in a way that appeals to the audience: I figure the professionals are more clued-up than most, particularly on technology, so it's appropriate to go into a little more depth here on the fundamental concepts ... starting with risk and control.  The diagram above represents the nature of risk i.e. 'uncertain outcome'. That's a seminar slide's worth, with a few words from the presenter briefly explaining each of the red-amber-green spectra as they appear on the screen. The next slide contrasts two complementary forms of control: either we stop harmful things from occurring by avoiding, preventing or mitigating incidents, or we ensure that good things occur - and that's an intriguing thought. What does that actually mean i...

From time to time, people get all excited about micro-learning, the educational equivalent of eating a chocolate elephant - one bite or byte at a time. "It's easy", the line goes. "Simply break down large indigestible topics into lots of smaller edible chunks, spreading them out enticingly for people to snack on whenever they feel peckish." I've tried that with our digital awareness content. For some strange reason, nobody was hungry enough to consume the random assortment of ones and zeroes, hundreds and thousands of bits all over the disk. Evidently it's not quite that easy. Education is never easy, if you want it to work well that is. Micro-, milli- and macro-learning, online learning, traditional classroom-based courses, webinars and seminars, conferences, educational events, rote and experiential learning, on-the-job training and demonstration classes, mentoring and so on are neither simple nor universal solutions. They each have their pros and cons...

Using the  Information Security 101  theme I mentioned on Feb 14th, I'm close to finishing the first set of presentation slides with a preponderance of yellow and black.  Through a carefully chosen sequence of bright, clear images, no bullet points and very few written words, the slides tell a visual story based around risk. The core message is that information security is less a case of stopping the business from doing things, than of being vigilant. ' Proceed with caution ' sums it up nicely. Given the elegance, simplicity and power of those 3 words, I'm not sure whether to elaborate on information risk and information security at all, in fact. I guess we'll mention a few current current threats, some recent incidents and typical controls in the speaker notes but I rather like the idea of leaving it up to the presenter/trainer to decide how to play things at run-time - during the induction courses and awareness program launch sessions for which the 101 module is d...

Fueled by a lot of Brahms and a wee tot of rum, half an hour's idle brainstorming on the purpose and objectives for information security awareness generated the following little Liszt: Rites, rituals Rite of passage Ritual slaughter Religions Belief systems  Cult, visionary leader, positional power, faith Sheep, lemmings Wolves, packs, threats, skills Group-think, conformity Compliance, rules, constraints, in the box Individuality, creativity, nonconformity, freedom, out of the box Hippies, communes, cliques Hallucinogens Noncompliance Cultural norms, expectations Counter-cultural, bucking trends Conventions, habits, preferences Automatic behaviours, instincts Socialising infosec Social pressure, influence, shared values Social acceptability Social structures, hierarchies, links Networks and relationships Families, organizations, departments, teams, groups, cliques Nations Interactions Dynamics Pressures Battles, wars, competition for scarce resources Reproductive success Change, c...

My perfectionist streak flared up with a vengeance today. First I spent a productive couple of hours checking and revising the content of our generic/model  A cceptable U se P olicies, intending to include them in the updated  Information Security 101   materials.  Aside from reviewing and tinkering with the information content , this also involved standardising the formatting of the AUPs by using the same MS Word template with specific styles for all of them. The AUPs have been updated at various times in various awareness modules and I noticed that, somewhere along the way, I must have changed the bullets and colouring for the 'acceptable use' and 'unacceptable use' points. Evidently I have also meddled with the boilerplate text that tops and tails each AUP, making them slightly inconsistent. To my beady eye,  this will not do!   Unsure how to name the model AUP files, I toyed with the idea of making a single multi-page document containing them all b...

The  Information Security 101   management presentation is coming along ... but I'll need to rein in my enthusiasm for all things yellow to refocus on the information security essentials: one of the challenges with induction training is keeping it within a tight timescale. 'Speak fast!' is not the answer because the audience probably won't take it all in, given that information security is just one of several important induction topics. It's trial by fire for them. Some of our customers will have more time for induction training than others, so my cunning plan is to make the 101 presentations flexible. Customers who have the luxury of more time can elaborate on pertinent details and interact more extensively with the inductees. Those short of time may want to skim through or skip some of the slides ... but I hope to encourage them all to make the time to introduce inductees to the information security team. Making that personal link starts the long process of gettin...

I've come up with a new theme for the  Information Security 101    presentations, with a striking visual metaphor.  As I was picking out general-purpose security-related graphics from our stock for the slide decks, I noticed a preponderance of yellow ... which led me to think about warnings in nature (such as the yellow and black stripes of this wasp) and on the roads (driving hazards), plus the classic R ed- A mber- G reen traffic lights. RAG colours are a simple visual cue, well suited to a basic induction or awareness refresher module.  The concept gradually forming in my head is that we would like to get to green (as in "Go ahead, get on with the business ... safely") and, wherever possible, avoid the reds ("STOP!  Dangerous!"), so amber ("Caution: hazards") is the path trodden by the security awareness and training program. I have in mind using a few reds and greens to illustrate the range but mostly I think we'll focus on those ambers in the ...

Yesterday I wrote about the laborious process of condensing our comprehensive 300+ page information risk and security glossary to something much more succinct and appropriate for inductees, new to the organization and the topic. So far, the  Information Security 101   glossary is down to just 15 pages but it's not finished yet. I am systematically reconsidering the relevance of each term and, for those destined to remain in the glossary, composing a straightforward explanation that encapsulates the concept in just a few simple words.  Well that's the aim anyway! I balked at describing cryptography, even though I'd quite like everyone to have at least a rough idea of what it is about. Maybe today the inspiration will come.  There's a nice bonus to all this: the terms that made it into the  Information Security 101   glossary will go into a word-grid and possibly also a crossword if there's time. If people find unfamiliar words in the puzzles, they can look t...

Our  information risk and security glossary has grown steadily over the years to a document of about 100,000 words over 350 pages defining 3,000 terms. That's easily a book's worth (maybe we should publish it!), and way too much information for the  Information Security 101   module, so I spent yesterday paring it down to a more sensible size.  The easiest approach was to chop out obscure/specialist terms and their definitions, then go through again to catch the ones I missed.  Next I set to work trimming down the definitions for the remaining terms, simplifying the wording and removing the quoted extracts from the ISO27k and other standards and references.  Some terms are context-dependent - they normally mean one thing but can mean something else. For the purposes of the 101 module, I've chopped off the 'something else' explanations. So now we're down to 11,000 words and 40 pages, defining about 400 terms. Still more than I'd like for  Information S...

For March, we're working on our final update to  Information Security 101 . Unlike our usual awareness modules, this one covers several information risk and security topics at a deliberately simplistic level. Its main purpose is to provide a gentle introduction, for example in new employee induction or orientation training, or as a launch module for organizations just starting or re-starting their awareness and training programs, bringing everybody quickly up to speed. So what should it cover? For the general staff audience, I'm thinking: Information risk and security fundamentals, including common terms Policies and procedures, with a touch of compliance User IDs and passwords ... and why they matter Backups Patching Phishing and other social engineering scams Apps and mobile security Ransomware and antivirus Physical security in the office Physical security when on the road or working from home Cloud, Internet, network and system security basics Vigilance: spotting, reacti...

Once more today I find myself drawn into an interminable discussion over on the ISO27k Forum . This time around, it's with a member who (as I see it) steadfastly refuses to remove his IT blinkers and acknowledge that - perhaps - there's more to information risk and security management than IT security, that he can't simply ignore the rest or claim/pretend that it's someone else's problem. His little IT world defines his horizon, and everything beyond the edge is (to him) at once both unseen and scary. And to be fair to him, I'm just the same. OK, so my blinkers don't say "IT" all over them but it's true I perceive the world in terms of information risks. I can't help it. It's how my brain works. I have something of an idea of what lies beyond that horizon, but nevertheless it's scary because that's not my domain of knowledge, experience and expertise. It's not my home turf. It makes me uncomfortable. Take 'financial risk...