We are immensely proud of NoticeBored’s record of innovation and creativity.  For nearly ten years, we have been consistently breathing new life into information security awareness, putting those traditional, dull, boring and essentially pointless programs to shame.  We launched NoticeBored back in 2003 with monthly deliveries of three parallel streams of awareness material.  While this approach remains unique in the market, it’s clear from the notes that follow just how far we have come since then.

December - social insecurity

Social engineering, social networking and social media are core subjects for a security awareness program, especially so at this time of year ... more

November - trust and ethics

We re-wrote the ethics module to incorporate trust, trustworthiness and related information security issues.

October - digital forensics

Thoroughly revised and reissued the awareness module concerning computer and digital forensics. 

September - oversight

Oversight incidents and oversight controls are complementary aspects, making this a novel and interesting topic for security awareness programs.

August - ’orrible outsiders

The flip side of June’s module opened employees’ eyes to the big bad world Out There, and the myriad external threats waiting to catch us out.  August’s security awareness module was completely new, written entirely from scratch.

July - compliance and enforcement

Released an awareness module on compliance and enforcement activities. 

June - insidious insiders

Thoroughly revised and updated the insider threat module, extending it to reflect recent advances in the field plus insider incidents that are in the press right now.  Rewrote the page about multi-level security awareness contrasting three distinct awareness audiences.

May - historical security

Prepared and released another brand new security awareness module drawing out information security lessons from the history books, our 40th security awareness topic.  How many facets of information security does your awareness program cover?

April - office security

Emphasized the common risk factors and generic security controls that apply to most offices and workplaces.  Also published customer feedback from Swiss Bank Leumi  (thanks Daniel - we’re flattered!).

March - malware

Security awareness is a vital part of the framework of controls needed to counteract significant malware risks, hence malware awareness is one of our core awareness topics, updated annually to reflect what’s hot in the field of malware.  Reviewed two books: Asset Protection through Security Awareness and Security Metrics - A Beginner’s Guide.

February - BYOD security

Released a brand new security awareness module on Bring Your Own Device, covering the use of personal ICT devices such as laptops, tablets and smartphones for work purposes.  Need a BYOD security policy?  Try our suite of security policy templates for size.

January 2012 - business continuity

The awareness materials on business continuity covered disaster avoidance, resilience, recovery and contingency, going well beyond ISO/IEC 27002’s rather basic coverage.

2011

Awareness topics covered in 2011 included physical security, IPR, cloud computing, database security, learning from infosec incidents, human factors, and six more conventional modules.

Introduced the ‘risk-control spectrum’ diagram, a useful way both to demonstrate the range of security risks we face and to suggest proportional controls.  Since extreme controls tend to be prohibitively expensive, management may notionally ‘draw the line’ at some point by accepting rather than mitigating the more extreme risks.  The spectrum is a way to frame this tricky risk management decision.

Also during the year we updated Information Security 101, introduced a model Corporate Information Security Policy and reviewed an Information Security Governance book.

2010

We introduced the FAQ as a regular deliverable.  They are rhetorical questions, of course, but the Q&A style is both engaging and action-oriented.

Topics covered in 2010 included business continuity, social engineering, security compliance, wireless security, industrial espionage,  human aspects of information security, incident management, identity theft, network & Internet security, malware, cryptography and secure software development.

We reviewed No Tech Hacking, Information Security Management Metrics, Managing the Human Factor in Information Security and the ITIL v3 security book.

2009

We released several new modules, for example on digital forensics and SCADA/ICS security.  Explained how NoticeBored supports bi-modal individual and group learning.  Published a white paper describing the role of information security policy, awareness and compliance manager.  Launched Information Security 101, an information security awareness module for new employee orientation or induction training, covering the basics of information security in simple, straightforward terms.   Updated the white paper on The value of security awareness with additional content and quotes.  Updated the policy manual to reflect the release of ISO/IEC 27000, and various other changes in the field of information security.  Updated the paper on ISO27k and NoticeBored.  Introduced the concept of awareness-on-demand.  Added a new page describing how NoticeBored meets the US Federal Government requirements for security awareness as documented in NIST SP800-16 and other sources.  Released a mini-module on the Downadup/Conficker worm infestation, just ahead of February’s malware awareness module.  Hacked together a virtual bookstore to help visitors find good information security books at Amazon.

2008

Refreshed and updated an awareness module on securing portable IT devices and teleworking (working from home or on the road), now titled “Gizmo security”.  Incorporated the idea of ‘bootstrapping new employees’ and building security (awareness) in from the start, into the induction/orientation module page.  Added information on a new academic book including a chapter on security awareness by our CEO.  Released brand new modules on ethics, information security governance, information security risk management, on information security issues for the average office and on trust, integrity and fraud.  Reviewed Mark Desman’s book on security awareness, The Art of Intrusion, Computer Security for the Home and Small Office, an implementation guide book for PCI DSS and one on incident management.  Introduced the elevator pitches and started selling the poster images for those who only want awareness posters.  Linked to a new security awareness paper by ENISA.  Explained more about security awareness for compliance reasons as a key business benefit of NoticeBored. Updated the business case for a security awareness program.  Added a page promoting our partners.   Linked to an EDPACS article on social engineering and a CERT podcast on social engineering, both by our CEO.  Added a FAQ section to the policy manual page, explaining how we envisage the policy manual being of value.  Released an extensively updated security awareness module on “Plan B” i.e. disaster contingency planning (DCP), resilience, business continuity planning (BCP) and disaster recovery planning (DRP).  Referenced NERC standard CIP-004 in the Why awareness? paper and total immersion security awareness section.  Added a white paper on the state of IT auditing, published in EDPACS.  Explained the concept of total immersion security awareness. 

2007

Released a module on social engineering, one of our ‘core modules’ that we believe every information security awareness program should cover, though not all do.   Added a customer endorsement from Alliance Data (thanks Shannon!).  The ‘laws, regs and standards’ module has a new name: security compliance.  Updated the induction module.  Released a modules on physical security and environmental protection of information assets, insider threats and database security.   Published a sample of our new security awareness tests.  Updated the business case for security awareness.  Released a brand new awareness module about protecting trade secrets against industrial espionage.   Published a review of Lessons Learned in Software Testing, The Insider, Corporate Espionage, Zen and the Art of Information Security,  two IDEO books on innovation, Net Crimes & Misdemeanors, an Insider Threat book,  Know Your Enemy, Google Hacking, Enemy at the water cooler  and an $8 computer security employee awareness booklet.  Updated our white paper on the value of security awareness.

2006

Updated and expanded the induction module.  Described the back catalog, a whole library of creative materials to supercharge your security awareness program.  Published the CISSPforum FAQ.  Used the ‘unconscious competence’ psychological model of learning to explain our approach on the About NB page.  Republished our 7 myths about security metrics paper (published in ISSA Journal).  Started delivering a hyperlinked glossary and a management paper about metrics on each monthly topic.  IsecT and NoticeBored were endorsed by ENISA in a paper for SMEs about building security awareness programs.  Released a generic Information Security Policy Manual, based on ISO/IEC 27001 and 27002.  Reviewed IT Governance - A Manager’s Guide to Data Security and BS 7799 / ISO 17799.  Quoted E&Y on the value of security awareness in our evolving white paper.  Noted the broad range of NoticeBored customers.  Reviewed Managing an information security and privacy awareness and training program (unreservedly recommended) and the CISO Handbook. 

2005

Updated the ‘office clock’ on the contact us page in the forlorn hope of avoiding further calls from the States in the middle of our night ... Reviewed Spies Among Us and Spreadsheet check and control and a neat little awareness book You Are A Loser (all three recommended) plus Tim Layton’s book on information security awareness and an IT Governance book.  Referenced NIST SP800 standards and Mich Kabay’s seminal paper on the psychological aspects of information security awareness in the value of security awareness white paper.  Referenced our ISO27001security website. Released a special free bonus module for security induction training.  Published a special mid-month bonus NoticeBored security awareness module on crisis management and contingency planning, inspired by the amazing London emergency services’ response to the bombs of July 7^th.  Started delivering mind maps and awareness surveys to customers.  Released Seven Steps to Security Awareness and Physical and Environmental Security for Datacenters white papers.  Republished the Build your own security culture presentation because visitors are still looking for it.  Added a glowing customer endorsement to the page suggesting how customers might use NoticeBored.  Added to our piece on why we need security awareness.  [Some enterprising customers are using this piece plus our business case for an information security awareness program to justify a budget line item for a security awareness program.  Good luck to ‘em!].  Launched the NoticeBored blog.  Commented on competitors introducing curiously similar awareness services, albeit some 18 months after we launched NoticeBored ;-)

2004

Updated the Why awareness? paper.  Released an awareness module on wireless networking as a “special”, an extra topic inserted into the planned cycle.  Updated the NoticeBored samples to demonstrate the range and format of NoticeBored materials.  Website privacy policy updated with a more complete formal version here.  Issued a spoof press release on ‘global no-email day’ for April 1st.  Updated the business case paper.  Added a phishing alert page with an offer of four free phishing awareness posters available through the updated contact page.  Added samples of our security awareness posters.

2003

After an 18-month gestation period researching, designing, developing and preparing the concept, NoticeBored finally hit the Web in May 2003.  Our first security awareness topic was malware - a topic we have covered several times since.  Also in 2003, we: launched the monthly NoticeBored newsletter; documented the need for security awareness and a generic business case for an information security awareness program; published white papers showing how NoticeBored topics relate to ISO/IEC 17799 sections and one on Human factors in information security; and released the availability awareness module a month earlier than planned to coincide with news of Blackout 2003 and widespread power cuts in London.

Copyright © 2012  IsecT Ltd.