InfoSec 101

For March, we're working on our final update to Information Security 101. Unlike our usual awareness modules, this one covers several information risk and security topics at a deliberately simplistic level. Its main purpose is to provide a gentle introduction, for example in new employee induction or orientation training, or as a launch module for organizations just starting or re-starting their awareness and training programs, bringing everybody quickly up to speed.

So what should it cover? For the general staff audience, I'm thinking:
  • Information risk and security fundamentals, including common terms
  • Policies and procedures, with a touch of compliance
  • User IDs and passwords ... and why they matter
  • Backups
  • Patching
  • Phishing and other social engineering scams
  • Apps and mobile security
  • Ransomware and antivirus
  • Physical security in the office
  • Physical security when on the road or working from home
  • Cloud, Internet, network and system security basics
  • Vigilance: spotting, reacting to and reporting concerns
  • Who's who - putting faces to the names behind information security
For the management audience:
  • Information risk and security management basics e.g. net value of incidents avoided/reduced less the costs of control
  • A little more on compliance e.g. privacy
  • Roles, responsibilities and accountability, with a little on governance
  • Strategies, architecture, plans and big-picture-stuff
  • Insider/outsider threats including fraud
  • Awareness and training, plus motivation and culture, plus 'executive security'
  • Information security in business relationships e.g. with vendors, partners and customers
  • Security metrics, reporting and systematic improvement
  • Business continuity
For the professional audience:
  • Identification and authentication
  • Access controls
  • Logging, alerting and alarms
  • Cryptography fundamentals
  • Cybersecurity vs information security
  • Intellectual property? Copyright at least
That's already quite a lot. It would be easy to overwhelm people with too much all at once, or conversely to bore them stiff with trivial, superficial, condescending material. We need to find ways to help people navigate the content, touching on all the main points and, if they wish, dipping deeper where appropriate. Most importantly, the content needs to be interesting, engaging and relevant - which is another challenge since that depends, in part, on the business context: key awareness messages are bound to differ in emphasis if not content between, say, a tech company, a bank or a charity. That suggests an initial activity for the person or team receiving and thinking about how to use the awareness module ... figuring out what are the essentials, the things that everyone needs to know?