Three awareness streams for three target audiences

Although they rarely if ever acknowledged it, typical old-school security awareness programs implicitly addressed a single, homogeneous audience - just “employees” or worse still “end-users”.  With a little appreciation of the field of marketing, we realized that in fact the audience can usefully be segmented, that is subdivided into groups with unique awareness needs.

NoticeBored is therefore designed to engage distinct target audiences through three separate streams of security awareness materials, individually written to reflect their different information needs, styles and perspectives.  The audiences are:

1. Staff in general - basically everyone in the organization who handles information, even those who don’t even use computers;
2. Management, from junior managers to senior executives and Directors - those with governance responsibilities, formulating strategy, making security investments, directing operations and supervising staff;
3. IT professionals - responsible for providing secure and reliable IT systems, networks and services to the rest of the organization.

Discover why we have picked out these particular audiences below and find out why total immersion security awareness is so important.

1.  The general employee stream

Information security is everyone’s responsibility, even including employees who do not actually use computers but still handle or come into contact with information assets.  NoticeBored delivers straightforward awareness materials for all employees.  In plain English, we explain the issues simply and offer pragmatic action-oriented advice.  We aim to demystify information security in bite-sized chunks.  The general materials pick out security issues that affect employees both at home and at work, emphasizing the personal perspective (“What’s in it for me?”).

The awareness materials in this stream are non-technical in style, easy to read and should make sense to anyone.  Relatively lightweight, simplified coverage of information security suits the perspective of someone who is at best vaguely interested in information security but typically has other, more pressing priorities.  We aim firstly to pique their interest using situations, scenarios and examples with which they are likely to empathize, then to provide useful information content including pragmatic suggestions on being more secure and the odd bit of fun to make the messages easier to swallow.

High quality, professionally crafted posters and screensavers promote the ‘information security brand’ and intrigue employees about the monthly topics.  Case studies help people visualize, consider and discuss security risks in familiar contexts.  The guidelines and seminars typically mention topical news stories with an information security flavor, encouraging employees to explore information security issues both at work and at home.  Where sensible, the materials help employees make logical connections between protecting corporate information assets (e.g. antivirus on work PCs), and protecting their own personal information assets (e.g. antivirus on home PCs).  Crossword puzzles help to make information security a more accessible, dare we say fun subject and the minimal amount of jargon in this stream is explained in the glossary, another one of the standard monthly deliverables.  Finally, one of the most valuable deliverables is also the shortest: our ‘take home messages’ sum up each topic in a single side – normally a mind map image and a handful of practical security tips aimed squarely at regular employees.

By the way, NoticeBored also addresses pseudo-employees such as contractors, consultants and temps, basically anyone who works for the organization in any capacity who needs to be aware of their information security obligations.

2.  The management stream

Management support is crucial for information security so NoticeBored is unique in directly addressing managers in familiar management terms.  Non-technical management materials stimulate management’s proactive involvement in information security matters involving them, the organization and their staff.  Our aim is to engage corporate managers with information security and IT governance, and help them view information security as a strategic business issue with the potential for competitive advantage as well as risk reduction.  NoticeBored addresses points made by Meta (“Although the benefits of information security - increased confidentiality, integrity, and availability - are clear to IT and security specialists, the ‘language’ in which these benefits are articulated is usually unintelligible to business executives.”) and LogicaCMG (“Few can now doubt that information security management is a key strategic issue, but as yet it has failed to make the boardroom agenda in many organisations.”).  Concisely written management materials deliberately stress the strategic perspective (“What are the business benefits of information security?”).

The management stream takes a strategic business- and governance-oriented perspective on information security, highlighting the leadership, risk management, compliance and commercial aspects as applicable. 

In order to establish information security as part of the corporate culture, it is important to set the right tone from the top, in other words managers should lead by example, openly supporting the security controls.  To this end, we highlight the business opportunities that open up in a relatively secure, risk-managed enterprise, emphasizing to management that strong security is good for business!   Getting managers to ‘think security’ involves explaining why security is important to them and the corporation (risk reduction and other benefits) and laying out the options they should consider.  Whilst we would not expect most managers to understand the technicalities of, say, database security management, it is reasonable that they should recognize security as an important issue that should be taken into account in a database development project. Project plans and budgets should identify security tasks such as security architecture and testing, for example.

Awareness deliverables in this stream include presentation materials for management seminars – illustrated PowerPoint slides and speaker notes, usually based on the mind maps.  These help managers quickly absorb key security concepts without getting bogged down with too much reading and suit those who prefer to ‘think in pictures’.  Executive and management briefings provide further information.  Our creative ‘Board agendas’ stimulate Board-level discussion of strategic information security issues.  Model security policies demonstrate how to document and promote a commonsense approach to security and can be used to benchmark and refresh existing policies or at templates for the creation of new ones.  Papers proposing information security metrics are provided for management consideration, promoting measurements to help drive further security improvements.

3.  The IT professionals’ stream

If your IT people don’t understand or pay much attention to information security, do you honestly expect them to design, implement and operate the necessary controls?  IT people specify, design, develop, implement, manage and operate most of the technical security controls and are therefore expected to understand information security, yet surprisingly few IT pros have had any formal training in this. 

NoticeBored delivers technical awareness materials to educate and motivate IT workers including information security managers, security administrators, IT network and computer operations staff, software developers and other technologists, including “power users” distributed throughout the business.  IT professionals receive background information on the information security risks associated with each monthly topic in our regular newsletter.  More detailed briefings (white papers) on specific technical aspects are provided where appropriate.  The higher technical content in these materials is designed to intrigue, inform and persuade IT specialists, making information security a routine part of their daily working lives (“ What should I be doing to help?”).

IT professionals are addressed in familiar language through their own stream of awareness materials containing more technical content relative to the other two streams.  Whilst we do not expect everyone in IT to become an information security expert, it is important that all IT professionals are given at least a basic grounding in information security if we genuinely expect IT to provide and maintain the full range of technical security controls.  Even organizations that are far-sighted enough to employ qualified information security professionals (e.g. CISSPs) surely cannot expect those individuals alone to provide all the technological controls needed?  In the sense that we are all responsible for security, everyone in IT from the CIO to the IT Help/Service Desk staff has a vital part to play in the corporation’s security infrastructure.  Security is an integral part of a professional IT service.  We therefore promote a collaborative, risk-based approach.  IT has a vital rôle supporting critical business functions by providing a secure shared infrastructure plus the accompanying IT applications and services.

The newsletter briefly lays out the risks associated with each month’s topic essentially as a ‘requirements specification’ for the associated security controls, at the same time subtly promoting the benefit of structured risk analysis techniques.  Presentation/seminar slides, again accompanied by detailed speaker notes, explain the topic in fairly basic terms, while technical briefings and white papers go into more depth for more experienced IT people.  Audit-style internal controls checklists can be used to review the technical and other security controls.  Finally, a regular deliverable is a paper full of security awareness tips and techniques every month to stimulate whoever is driving the security awareness program with some creative communications ideas.

Why target those three audiences in particular?

We distinguish those particular audiences because they have vital and complementary parts to play in any information security management system.  Management commitment, coupled with widespread understanding of information security by all employees and technical support from IT, leads to a secure organization top-to-bottom, left-to-right.  It’s the concept we call total immersion security awareness ...

Total immersion security awareness

All the NoticeBored materials in all three streams cover the same information security topic in any single month.  They therefore complement and support each other.  This unique approach subtly encourages the three audiences to discuss security topics both separately and together, thereby reinforcing the security messages by repetition, immersing employees more deeply in information security.  If someone sees something puzzling on the take-home messages, for instance, there are briefings, presentations and various other awareness items on hand to turn that spark of interest into a flame.  Perhaps a supportive comment from their manager or an IT contact will fan the flames. 

Returning to the database security example, relevant aspects of database security are brought to the attention of the three target audiences: general employees (e.g. disclosure of our personal data in database security incidents), managers (e.g. governance of the development process for business-critical database systems) and IT professionals (e.g. referential integrity, data validation and security aspects of data dictionary/database design). 

There is a good chance that a given employee will find out about, say, database security from several directions during the month:

• Directly by reading the general employee awareness materials, browsing Information Security’s intranet Security Zone or attending an awareness seminar;
• In team meetings or just chatting with friends and colleagues over coffee; and
• From management or IT contacts.

NoticeBored awareness programs fulfill the requirements of NERC’s Critical Infrastructure Protection standard CIP-004:

In conjunction with the monthly delivery, NoticeBored’s total immersion approach to information security awareness is an important part of creating a genuine security culture.  Basically we are leveraging all your people - not just the Information Security Manager or awareness specialist/s - to spread important security messages.

Supporting both individual and social modes of education

NoticeBored provides awareness materials supporting both individual study and social learning in group settings.  Individual members of the target audiences benefit from reading and quietly reflecting on the newsletters, briefing papers, crosswords, guidelines, mind-maps etc. when they find the time, while the seminar presentations, case studies, Board agendas etc. are designed to encourage the audiences to discuss the content openly, interacting both with each other and with the facilitators/seminar leaders.  Our total immersion security awareness concept creates numerous opportunities for people to recall and recount key information security messages, constantly reminding each other of the importance and relevance of information security and thereby reinforcing the security controls.

A short note about non-computer users

“Information security” is subtly but quite deliberately different to “IT security”.  It’s about protecting information in any form, not purely the computer systems, networks and data.  Even office cleaners, for instance, should be broadly aware that the organization values and needs to secure the papers, computer media etc. in the offices they are cleaning, even if they have no need or authority to use corporate computers themselves.  Many of the NoticeBored materials are immediately suited to off-line distribution to all employees through stand-up presentations, seminars, study groups, discussion groups and introductory -level courses.  The posters, briefings, crossword puzzles etc. can of course be printed and circulated on paper.  In short, there is no need to logon to benefit from NoticeBored.

Copyright © 2010  IsecT Ltd.