Three awareness streams for three target audiences

NoticeBored is designed to engage distinct target audiences through three separate streams of security awareness materials, individually written to reflect their different information needs, styles and perspectives:

1. Staff in general - basically everyone in the organization who handles information, even those who don’t use computers;
2. Junior managers to senior executives and directors - those in charge of governance, formulating strategy, security investments, directing operations and supervising staff;
3. IT professionals - those responsible for providing secure and reliable IT systems, networks and services to the rest of the organization.

Read why we have picked out these particular audiences below and find out why total immersion security awareness is so important.

1. The general employee stream

Information security is everyone’s responsibility, even including those employees who do not actually use computers. NoticeBored delivers straightforward non-technical awareness materials for all employees. In plain English, we explain the issues simply and offer pragmatic advice. We aim to demystify information security in bite-sized chunks. The general materials pick out security issues that affect employees both at home and at work, emphasizing the personal perspective (“What’s in it for me? ”).

General information security awareness materials aimed at all employees or staff are relatively non-technical in style, easy to read and should make sense to anyone. The general employee stream gives relatively lightweight, simplified coverage of information security from the perspective of someone who is at best vaguely interested in information security but typically has other, more pressing priorities. We aim firstly to pique their interest using situations, scenarios and examples with which they are likely to empathize, then to provide useful information content including pragmatic suggestions on being more secure and the odd bit of fun to make the messages easier to swallow.

High quality, professionally crafted poster images and screensavers promote the ‘information security brand’ and intrigue employees about the monthly topics. Case studies help people visualize, consider and discuss security risks in familiar contexts. The guidelines and seminars typically refer to news stories about related information security incidents, encouraging employees to consider and discuss information security issues at in casual office/corridor conversations and outside the workplace with families and friends. Where sensible, the materials help employees make logical connections between protecting corporate information assets (e.g. antivirus on work PCs), and protecting their own personal information assets (e.g. antivirus on home PCs ). Crossword puzzles help to make information security a more accessible, dare we say fun subject and the minimal amount of jargon in this stream explained in the glossary, another one of the standard monthly deliverables. Finally, one of the most valuable deliverables is also the shortest. Our ‘take home messages’ sum up every topic in a single side – normally a mind map image and a handful of security awareness tips aimed squarely at regular employees.

By the way, NoticeBored is also suitable for pseudo-employees such as contractors, consultants and temps - basically anyone who works for the organization in any capacity who ought to be aware of their information security obligations.

2. The management stream

Management support is crucial for information security so NoticeBored is unique in directly addressing managers in familiar management terms. Non-technical management materials stimulate management’s proactive involvement in information security matters involving them, the organization and their staff. Our aim is to engage corporate managers with information security and IT governance, and help them view information security as a strategic business issue with the potential for competitive advantage as well as risk reduction. NoticeBored addresses points made by Meta (“Although the benefits of information security - increased confidentiality, integrity, and availability - are clear to IT and security specialists, the ‘language’ in which these benefits are articulated is usually unintelligible to business executives.”) and LogicaCMG (“Few can now doubt that information security management is a key strategic issue, but as yet it has failed to make the boardroom agenda in many organisations.”). Concisely written management materials deliberately stress the strategic perspective (“What are the business benefits of information security?”).

The management stream takes a more strategic business- and governance-oriented perspective on information security, highlighting the leadership, risk management, legal/regulatory compliance and commercial aspects as applicable. In order to establish information security as part of the corporate culture, it is important to set the right tone from the top, in other words managers should lead by example, openly supporting the security controls. To this end, we highlight the business opportunities that open up in a relatively secure, risk-managed enterprise, emphasizing to management that strong security is good for business!  Getting managers to ‘think security’ involves explaining why security is important to them and the corporation (risk reduction and other benefits) and laying out the options they should consider. Whilst we would not expect most managers to understand the technicalities of, say, database security management, it is reasonable that they should recognize security as an important issue that should be taken into account in a database development project. Project plans and budgets should identify the security tasks , for example.

Awareness deliverables in this stream include presentation materials for management seminars – illustrated PowerPoint slides and speaker notes, usually based on the mind maps. These help managers quickly absorb key security concepts without getting bogged down with too much reading and suit those who prefer to ‘think in pictures’. Executive and management briefings provide a little more information that the seminar slides on relevant issues. ‘Board agendas’ are stimulating and original discussion papers for senior non -executive/executive management that stimulate discussion on strategic information security issues. Generic business case papers bring a commercial perspective to some topics, identifying some of the key costs and benefits of the relevant security controls. Model security policies demonstrate how to document and promote a commonsense approach to security and can be used to benchmark and refresh existing policies or stimulate the creation of new ones. Papers proposing information security metrics are provided for management consideration, promoting measurements that will drive further security improvements.

3. The IT professionals’ stream

If your IT people don’t understand or pay much attention to information security, do you honestly expect them to design, implement and operate the necessary controls? IT people specify, design, develop, implement, manage and operate most of the technical security controls and are therefore expected to understand information security. NoticeBored delivers technical awareness materials to educate and motivate IT workers such as information security managers, security administrators, IT operations staff, developers and other technologists. IT professionals receive background information on the information security risks associated with each monthly topic in our regular newsletter. More detailed briefings (white papers) on specific technical aspects are provided where appropriate. The higher technical content in these materials is designed to intrigue, inform and persuade IT specialists, making information security a routine part of their daily working lives (“What should I be doing to help?”).

IT professionals are addressed in familiar language through their own stream of awareness materials containing more technical content relative to the other two streams. Whilst we do not expect everyone in IT to become an information security expert, it is important that all IT professionals are given at least a basic grounding in information security if we genuinely expect IT to provide and maintain the full range of technical security controls. Even organizations that are far-sighted enough to employ qualified information security professionals (e.g. CISSPs) surely cannot expect those individuals alone to provide all the technological controls needed? In the sense that we are all responsible for security, everyone in IT from the CIO to the IT Help/Service Desk staff has a vital part to play in the corporation’s security infrastructure. Security is an integral part of a professional IT service. We therefore promote a collaborative, risk-based approach. IT has a vital rôle supporting critical business functions by providing a secure shared infrastructure plus the accompanying IT applications and services.

The newsletter briefly lays out the risks associated with each month’s topic essentially as a ‘requirements specification’ for the associated security controls, at the same time subtly promoting the benefit of structured risk analysis techniques. Presentation/seminar slides, again accompanied by detailed speaker notes, explain the topic in fairly basic terms, while technical briefings and white papers go into more depth for more experienced IT people. Audit-style internal controls checklists can be used to review the technical and other security controls. Finally, a regular deliverable is a paper full of security awareness tips and techniques every month to stimulate whoever is driving the security awareness program with some creative communications ideas.

Why those target audiences?

We distinguish those particular audiences because they have vital and complementary parts to play in any information security management system. Management commitment, coupled with widespread understanding of information security by all employees and technical support from IT, leads to a secure organization top-to-bottom, left-to-right. It’s a concept we call total immersion security awareness ...

Total immersion security awareness

All the materials in all three streams in any one month cover the same information security topic. They complement and support each other. This unique approach subtly encourages the three audiences to discuss the topic both separately and together, thereby reinforcing the security messages by repetition, immersing employees in information security.

If someone sees something puzzling on the take-home messages, for instance, there are briefings, presentations and various other awareness items on hand to turn that spark of interest into a flame, and perhaps a supportive comment from their manager or an IT person to fan the flames. Returning to the database security example, relevant aspects of database security are brought to the attention of the three target audiences: general employees (e.g. disclosure of our personal data in database security incidents), managers (e.g. governance of the development process for business-critical database systems) and IT professionals (e.g. referential integrity, data validation and security aspects of data dictionary/database design). There is a good chance that a member of staff will hear about database security from several directions during the month – directly by reading the awareness materials or attending an awareness presentation, in team meetings or chatting over coffee, and from management or IT contacts.

In conjunction with the continuously rolling program delivery, NoticeBored’s ‘total immersion’ approach is an important part of creating a genuine security culture. Basically we are leveraging the organization’s people to spread the security messages, not just the Information Security Manager or awareness specialist/s. NoticeBored awareness programs closely match NERC’s Critical Infrastructure Protection standard CIP-004: “Awareness — The Responsible Entity shall establish, maintain, and document a security awareness program to ensure personnel having authorized cyber or authorized unescorted physical access receive on-going reinforcement in sound security practices. The program shall include security awareness reinforcement on at least a quarterly basis using mechanisms such as:

• Direct communications (e.g., emails, memos, computer based training, etc.);

• Indirect communications (e.g., posters, intranet, brochures, etc.);

• Management support and reinforcement (e.g., presentations, meetings, etc.).”

A note about non-computer users

“Information security” is subtly different to “IT security”. It’s about protecting information in any form, not purely computer systems and data. Even office cleaners, for instance, should be broadly aware that the organization needs to secure the papers, computer media etc. in the offices being cleaned, even if they have no need to use computers themselves. Many of the NoticeBored materials are immediately suited to off-line distribution to all employees through stand-up presentations, seminars, study groups, discussion groups and introductory-level courses. The posters, briefings, crossword puzzles etc. can of course be printed and circulated on paper. In short, there is no need to logon to use NoticeBored.