February’s security awareness topic is “Mistakes”
Outline and scope
Security awareness and training programs are primarily concerned with incidents that have
deliberate or intentional threats such as hackers and malware. This month, we take a look at mistakes, errors, accidents and other situations that inadvertently cause problems with
the integrity of information, such as:
Using inaccurate data, often without realizing it;
Having to make decisions based on incomplete and/or out-of-date information;
Mistakes when designing, developing, using and administering IT systems,
including those that create or expose vulnerabilities to further incidents (such as hacks and malware);
Misunderstandings, untrustworthiness, unreliability etc. harming the organization’s reputation and its business relationships.
Mistakes are far more numerous than hacks and malware infections but thankfully most are
trivial or inconsequential, and many are spotted and corrected before any damage is done. However, serious incidents involving inaccurate or incomplete information do occur
occasionally, reminding us (after the fact!) to be more careful about what we are doing.
The awareness material takes a more proactive angle, encouraging workers to take more care with information especially when handling (providing, communicating, processing or
using) particularly important business- or safety-critical information – when the information risks are greater.
This month’s module:
Introduces the topic, describing the context and relevance of mistakes to information risk and security;
Expands on the associated information risks and security controls;
Offers information and practical advice motivating people to think - and most of all act – so as to reduce the number and severity of mistakes
Fosters a corporate culture of error-intolerance through greater awareness, accountability and a focus on information quality and integrity.
Consider your learning objectives in relation to mistakes, errors etc. Does the organization have persistent problems in this area? Is this an issue that
deserves greater attention from staff and management, perhaps in one or more departments, sites/business units or teams? Have mistakes ever led to significant incidents?
We recommend customizing the content supplied, adapting both the look-and-feel (the logo, style, formatting etc.) to suit your awareness program’s
branding, and the content to fit your information risk, security and business situation. Incorporate additional content from other sources, or to cut-and
-paste selections from the NoticeBored materials into your staff newsletters, internal company magazines, management reports etc.
We suggest you organize security awareness seminars
, preferably live in person with a suitable seminar leader or online through a Learning Management System or intranet (perhaps both!). The awareness briefing papers
expand on the topic for those who prefer to read at their own pace. The FAQ and executive-level materials
are aimed at those too busy or disinclined to read much.
Run the awareness challenge in a relaxed social setting, and work through the case study in small groups, perhaps as part of a seminar or workshop.
Decide on the prize/s then circulate the wordsearch puzzle and security test
to workers. Reward previous winners, publishing their details plus the winning solutions from last month’s challenges. Remember the prize menu in the Information Security 101 module.
Use the awareness survey
to gather metrics plus feedback comments and improvement suggestions for your security awareness program.
Discuss the generic model/template policy
with management, comparing and contrasting it against any policies you already have in this general area.
There’s a huge choice of error-related metrics
: what are you using? What metrics would management value?
Various specialists have a professional interest in this area, particularly those in IT. The newsletter
, pro seminar, pro briefing and Internal Controls Questionnaire are all designed to pique their interest or grab their attention.
In conjunction with HR/Training, you might like to update your new employee induction/orientation pack on this topic, and perhaps other relevant training
Get this module
Subscribe to the NoticeBored service to receive this module, plus similar batches of security awareness and training materials delivered fresh to your
organization every month. We offer a wealth of top-quality creative content on a market-leading range of information risk and security topics making it
easy and economic for you to run a world-class security awareness and training program.
Email us to set the ball rolling. Find out what it takes to get your security awareness and training program quickly up to speed, for a lot less than you
might think. We’re a small company with a big reputation for quality and innovation.
If you only want this module, then yes we can do that too.
Tag along with us on NBlog as we work on the next awareness topic. In addition to clues about what’s coming up, we share hints and tips on making
security awareness more effective.