Creative content for continuous security awareness programs

NoticeBored delivers creative awareness materials through a continuous series of monthly modules on a broad range of topics (more below).  This innovative rolling approach means NoticeBored awareness programs are constantly refreshed with less chance of the materials and messages becoming stale and boring.  Month-by-month, the NoticeBored modules build into a comprehensive library of creative security awareness materials.  If you can’t afford to wait, we can optionally supply the entire back catalog of previously-delivered modules on CD/DVD to get your awareness library and program off to a flying start.

Contrast this with the traditional sheep dip approach to security awareness - an annual lecture to the troops by information security, at once both tedious and pointless.  We all know that most people don’t respond well to these forced-attendance sessions and that their main purpose is to claim compliance with some awareness obligation.  Security awareness is a much more creative, satisfying and cost-effective process with NoticeBored.

Thirty four information security topics

NoticeBored covers a wide range of information security topics, module-by-module, deliberately taking a broad view of the scope of information security for awareness purposes:

1. Accountability and responsibility - examines, explains and contrasts these two commonly misunderstood but fundamental concepts in the context of information security and governance;
2. Authentication and identity management - from choosing strong passwords to identity theft and access control;
3. Bugs! - errors or flaws in program specification, design, coding or configuration by software development professionals and end-users can create security vulnerabilities;
4. Change management - covers information security aspects of IT-related changes including patching, testing, configuration management and the implementation of “IT projects” (really business changes);
5. Compliance - fulfilling obligations under information security-related laws, regulations, standards, plus internal corporate policies, procedures and guidelines;
6. Contingency planning - includes business impact analysis, continuity planning and resilience, plus IT disaster recovery;
7. Cryptography - a fun, lightweight introduction to encryption and other cryptographic technologies;
8. Database security - securing large collections of valuable data against hackers, corruption, loss etc.;
9. Digital forensics - forensic investigation of evidence arising from information security incidents;
10. Ethics - looks at the morality and ethics of appropriate versus inappropriate use of the organization’s information assets;
11. Gizmos - security issues associated with portable IT devices including laptops, USB memory sticks, PDAs and a million other “boys’ toys”;
12. Governance - roles, structures and reporting lines for the information security management function and its relationships with others such as risk management, IT audit and general business management;
13. Hacking - tips to counteract hackers, crackers, industrial spies, insider threats, scammers, criminals and other adversaries exploiting network, system and process vulnerabilities;
14. Human factors - a brand new module covering the human aspects of information security - security culture, awareness, policies and more;
15. Identity theft - covers phishing and many other forms of identity theft;
16. Incident management - explains the process for identifying, reacting to, containing, resolving and learning from information security incidents;
17. Information Security 101 (new employee induction/orientation module) - this is a general module covering the basics of information security (more below).
18. Information security risk management - processes to analyze and bring information security risks under management control (includes the information security elements of system and network management);
19. Insider threats - security threats arising from employees on the payroll and third party employees working for the organization in a similar capacity;
20. Intellectual Property Rights (IPR) - protecting our own IPR and respecting others’;
21. IT auditing - understand what makes IT auditors tick, what they do and how to work with them more effectively;
22. IT-related fraud - covers phishing, identity theft and other forms of fraud committed using IT systems and networks, plus the associated trust and personal integrity issues;
23. Malware (core topic)  - viruses, worms, Trojans, key loggers, spyware, rootkits etc., one of the longest-running information security issues that still deserves careful attention to detail;
24. Mobile and home working - information security considerations for road warriors and those working from home, including wireless networking (WiFi etc.) and laptop security;
25. Network and Internet security (core topic)  - all manner of information security issues linked with networking and internetworking;
26. Office and email/messaging security (core topic) - the average workplace faces a number of information security issues with email, IM, VoIP, physical security and more;
27. Privacy - protecting sensitive information about people (Personally Identifiable Information, Personal Information or Personal Data), including employees and third parties;
28. Physical security - protecting the facilities, IT equipment and information assets against unauthorized access, fires, floods, overheating, power disturbance, lightning ...;
29. SCADA/ICS security - security risks and controls relating to Industrial Control Systems and embedded controllers (such as Building Management Systems and vehicle systems);
30. Software development - integrating security into the system development lifecycle from specification and design through to maintenance and support, and even end-of-life retirement of systems;
31. Social engineering (core topic) - the only practical way to tackle this threat is to ensure employees are well aware of the issue, showing them how to spot and resist attacks (currently being updated);
32. Social networking, social media and Web 2.0 - extends the social engineering topic to cover the security hazards associated with using Twitter, Facebook etc.
33. Third parties - information security issues resulting from business relationships between organizations, extending the security boundary to suppliers, partners and/or customers;
34. Trade secrets - covering a spectrum of activities from legitimate market research and competitive intelligence through to unethical if not illegal industrial espionage and information warfare.

The modules are periodically refreshed and updated, sometimes combining related topics and sometimes splitting them apart.  New information security topics are integrated into the cycle from time to time as they emerge.  We put a lot of effort into researching and staying abreast of the very latest information security advances, vulnerabilities, threats and controls, so that we can write knowledgeably about them and impart the essential elements to your employees.  With NoticeBored, your awareness program will constantly evolve and adapt to the ever-changing information security risk environment.

Core security awareness topics

Competitors’ awareness products tend to be static, meaning customers get a one-off delivery of materials that are seldom fresh when delivered and then gradually become even more outdated over time.  It seems to us that information security is a dynamic field.  New security risks (that is threats, vulnerabilities and/or impacts) emerge frequently, so awareness programs need to be updated frequently to remain relevant and interesting.

While most of our materials are refreshed every three years or so, the four “core modules” covering malware, social engineering, office & email security and network/Internet security are updated and reissued annually.  Along with the Information Security 101 module, these are topics that practically all security awareness programs need to cover.  We refresh them more frequently so that customers can remind employees of their key obligations annually.  If your organization only needs a basic security awareness program, consider using just the core modules and skip the rest ... but then you’ll be missing out on lots of worthwhile and relevant topics, all of which help generate a genuine interest in information security and a culture of security.  Please check the diary page for the sequence of topics we have covered so far and our plans for forthcoming modules.

Information Security 101 - a free bonus for NoticeBored subscribers

The Information Security 101 module contains basic awareness materials on a range of commonplace information security issues for use in new employee security induction courses and orientation training.  This module is also suitable to launch new security awareness programs so we provide it as a free bonus module to welcome new NoticeBored subscribers - in other words, you’ll receive the induction module plus your first regular module when you subscribe to NoticeBored. 

The module was thoroughly updated and refreshed in September 2009, adding a number of completely new items to form a more comprehensive package.  Information Security 101 is now available separately if you are not quite ready for the full NoticeBored treatment.

What are “modules” anyway?

Modules are compressed ZIP files varying between about 30 and 60 Mb, containing around 20 to 30 different types of security awareness item each month.  See what’s in this month’s module for a typical example.

The awareness materials themselves are mostly Microsoft Office data files prepared in Word, PowerPoint and Visio, plus high resolution .JPG poster images suitable for professional printing.  We supply fully-editable unrestricted/unlocked files so that customers can customize or adapt the content to suit their specific requirements, for example providing contact details for the Information Security Manager or equivalent, referencing corporate policies, adopting a house style etc.  Customers are welcome to cut-and-paste the supplied content, supplementing existing awareness and training materials and to integrate preexisting or third-party awareness materials where relevant.  If you already use a Learning Management System to deliver information security awareness and training, why not incorporate NoticeBored’s creative materials into your LMS to liven-up the rather drab, lifeless and outdated content usually supplied?

Cross-referencing of related topics and reinforcement of the information security messages brings a coherence and consistency to the NoticeBored awareness materials often lacking in other “awareness solutions”.  It helps that all the materials are written to the same high standard of quality by us.  It’s what we do!

Keep up with recent information security incidents, emerging risks and new security practices through NoticeBored

All our modules include topical information security news clippings and references, highlighting and expanding upon stories that employees will probably have seen in the general news media, or will probably spot once they have seen the NoticeBored content.  The monthly delivery cycle and flexible delivery schedule give us a significant advantage over more traditional awareness products: we can pick up on information security issues more-or-less as they emerge.  Whereas most of our competitors only offer annual updates (if at all!), NoticeBored keeps you bang up to date with current trends.

While we can only cover incidents that are in the public domain, we encourage customers to incorporate information about actual incidents within their organizations into their awareness programs.  This is one good reason why we provide editable files - what better way to bring the security message home to employees than to make them appreciate that security breaches are literally happening around them?

Take a good look at the NoticeBored samples to see exactly what you’ll be getting for your money.

Copyright © 2010  IsecT Ltd.