Hi,
It is not difficult to make security awareness training a continuous process by delivering short and sweet security awareness training modules regularly.
This video focuses on the importance of keeping white boards clean in 5 simple steps. The advantage of these type of modules is that they don’t occupy much time but occupies a larger mind space.
Click on the image below or click here.
Warm regards,
Anup
Information Security Quotient (ISQ)
Hi,
A presentation that I took recently for a top management group that focuses on the human factor in information security. The presentation focuses on,
1. Why people make security mistakes
2. How security decisions made by people are influenced by “Perception”
3. How ISMS can be improved by influencing the “feeling of security”
You can also click here: http://www.slideshare.net/NarayananAnup/the-difference-between-the-reality-and-feeling-of-security
These thoughts were inspired by an article by Bruce Schneier titled “The Psychology of Security” – http://www.schneier.com/essay-155.html
Do drop me a note if you wish to discuss more on this.
Warm regards,
Anup
Hi,
I believe the term “information security awareness” is incomplete. It must be “information security awareness and competence”. This is because “awareness” is only half the job. You are making the employee learn important information security policies, fundamentals etc. But that is only half the job. After teaching the employee must also prove that they are applying what they have learn correctly. How do you do this?
This is where the organization must look at the human factor in Information Security as a whole and create a comprehensive plan that addresses both awareness and competence. This plan must have,
1. An awareness program
2. An awareness assessment program
3. A competence assessment program
I have created a short video tutorial where you will learn important fundamentals in less than 3 minutes. Click on the image or the link below.
Click here
Thanks,
Anup
Hello,
Security awareness messages can be packaged in various ways to give the learner a great experience. The more exciting and interesting the experience, higher the impact of learning and recall.
Recently we did a security awareness video prototype using a F1 Racing Car theme, with elements of interactivity built-in to ensure that the learner participated along the way. The feedback was very positive and happy to share the video.
Click here to play the video.
Thanks,
Anup
Hi there,
Who doesn’t like comics? After all we grew with them. The bright colors, the amazing characters, the thrill and suspense….it was amazing. My favs were Phantom and Tarzan.
While going the memory lane, I thought a comic book based theme will be a good idea for a security awareness video.
Check this out. Click on the image or URL below.
http://isq-library.s3.amazonaws.com/Comic-Book-Security-Awareness/player.html
Let me know what you think.
Warm regards,
Anup
Hi,
Recently for promoting the “Certified Security Awareness and Competence Manager” training program in Kuala Lumpur, Malaysia, I created a promotion video using the 007 James Bond theme along with the title music from Bond films. I decided to make a generic cut of the video for sharing.
Make sure you turn up the volume a wee bit 
Check the video here:http://isq-library.s3.amazonaws.com/007-information-security-challenge-generic/player.html
Check how the video is used to promote the training here: http://www.securityvitamins.com/sacm
Thanks,
Anup
Hi,
Information security awareness content can be split into various categories. Two categories could be “Compliance” and “General Information Security Awareness”. A careful examination of these categories necessitates a discussion of how content developed under these categories must be delivered.
Compliance Courses
These courses have the following features.
1. They are mandatory and must be completed by all
2. Is a requirement as per the law of the land
3. Is best delivered using an LMS (Learning Management System) that can track attendance
4. Usually has a test/ assessment at the end which the learner MUST pass
5. Is best to have a self-printable certificate that the learner can print after PASSING the exam and show as a proof of completion of the course
6. Usually takes anywhere between 15 minutes to 45 minutes to complete
Awareness messages
Before I list the features of awareness messages, it is prudent to ask a question. Are you trying to deliver “awareness messages” like a compliance course. Is that required? What if you have 12 awareness messages spread across the year (one per month)? Do you have the energy, resources, time and money to keep pursuing employees to make them view one course per month?
This is where the following suggestions regarding awareness courses may become very useful.
1. They should be short and crisp – should not take more than 2 to 5 minutes of learning time
2. Try different channels of delivery – screen savers, posters, wall papers, html emailers etc.
3. Make it fun and interactive – You really want the learner to tell you at the water cooler …”hey that security poster was cool!”
4. Don’t chase “completion or mandatory” attendance but try for a positive feel and appreciation of information security around the message
5. Keep delivering regularly (one per month)
Now, if you notice, one compliance course + 12 awareness messages in a year is a good information security training program to have.
To view sample compliance courses and awareness messages, visit – http://www.isqworld.com/security-awareness-samples
Cheers,
Anup
Hello,
What is the best way to learn? By experiencing the learning, of course. How can you bring the element of “experience” into an online training course? The answer is by creating “elements of interaction”
What are the benefits of introducing elements of interaction? Let us look at a few points.
Think, make decisions:
Interactive courses PAUSE at critical junctures and ask the learner to take decisions. This makes the learner think, which is an extremely important part of the learning process.
Generate interest
Interactivity involves clicking, moving forward, backward etc.. which makes the learner an active and interested participant in the course.
Freedom to make mistakes
Interactive courses allow the learner to make mistakes and learn from the mistakes. This involves making a bad decision and understanding the implications of that bad decision.
Now, let us take look at an interactive learning experience. Click here or on the image below.
Thank you,
Anup
Part 3 of building a successful security awareness program
Hello,
In my previous post we examined the importance of having security awareness success metrics in place before starting the security awareness campaign in order to measure whether the awareness campaign is successful or not. In this post we will move forward and evaluate the various channels through which security awareness can be delivered. We will consider screen savers, interactive videos, emails/ posters, newsletters, class room training sessions, social media and more.
Pros – The best thing about the screen savers is that everyone is guaranteed to see them at least once. This means that screen savers are an ideal channel for conveying essential security awareness messages in a minute or less.
View sample security awareness screen saver on information security basics.
Cons – They are not interactive which means the employee cannot navigate and learn through an interactive experience. But, hey….if someone comes to you at the watercooler and says …”hey that was a cool screen saver”, it’s worth it.
Pros – Nothing can beat the experience and impact of a security expert, who is also an eloquent trainer, delivering a powerful classroom training session. Aided with a powerful set of training slides and interactive sessions, this is the best of the lot.
View sample security awareness training slides for an information security classroom training program.
Cons – Getting it all together, a good security expert who is also an excellent trainer, the time of employees, if you have a large workforce getting them all into a classroom or scheduling multiple sessions, the effort involved….it becomes quite taxing.
Pros – Videos that present scenarios and asks the learner to make decisions and learn through the simulated experience is a powerful form of information security awareness.
View fun sample security awareness training video on information security tips to protect laptops and mobile devices while traveling.
Cons – Employees may not pay interest if the video is not exciting enough.
Pros – Emails/ posters with that twist of creativity with short powerful messages triggers learner inquisitiveness to understand more.
View security awareness email on phishing.
Cons – If creativity and crispness is lacking, it just becomes another email to be sent to the “Deleted Items” folder.
Pros – Newsletters, designed intelligently, with interesting content, facts, tit bits, “did you knows?” that can be read in less than 5 minutes are powerful security awareness channels .
View security awareness newsletter.
Cons – Again, if creativity and crispness is lacking, it becomes a dud.
Pros – A powerful and viral channel. The trick is to use a social media platform, that is locked form external access and publish a variety of content as described above (videos, newsletters etc.) on it. The users will carry and promote the content. Another powerful advantage of social media platform is that you will know if the users “LIKE” the stuff or not .
Cons – While the platform could be powerful, if the content is not good enough, then the platform becomes worthless.
Using as many channels as possible ensures that security awareness reaches the majority of users. While channels are good in carrying content, what influences the users is the quality of content. In my next post we will look at creating high quality information security awareness content.
Warm regards,
Anup Narayanan
Hello,
In my previous post we defined the importance of “security competence” as an important goal in the “Security awareness” campaign. Now that we have established this, let us define the metrics that will help you to measure the success of your efforts.
Note: The metrics are based on the HIMIS (Human Impact Management for Information Security) methodology, the free copy of which can be downloaded here.
It is important to split the metrics into specific categories, viz. security awareness and security competence. This is to ensure that you do not get carried away with high “awareness”, whereas the “competence” could be low.
Coverage
“Coverage” indicates the target workforce (employees, contractors, partners and other interested parties) that must be covered under the information security awareness program.
Format and visibility
“Format” indicates the different types of information security awareness content. “Visibility” indicates the channel through which the content is delivered. Channels are selected in order to put information security awareness content where maximum amount of visibility (eyeballs) can be gained.
Verbal: Trainer led classroom sessions, personal interactions
Paper: Posters, cards, quizzes or surveys
Electronic: Videos, Emails with messages, Animated games, Screensavers Quizzes or surveys
Frequency
“Frequency” indicates the gap between any two deliveries of information security awareness content. Frequency is critical because it influences “retention”.
Quality of content
These metrics are captured via qualitative analysis methods (survey and feedback) and the following measurement criterion can be used.
1. Impact visualization: Probably the most important factor. An example of impact visualization is visually depicting the damage (stealing a laptop, stealing valuable documents) that an intruder can cause by tailgating.
2. Business relevance:
The information security awareness program, specifically the content must capture the business requirements of information security.
Clarity and ease of understanding:
Style must not be sacrificed for substance. Emphasis must be given to conveying the message in a simple and clear manner first. Building style around the message should be done without diluting the message or making the content complicated.
Consideration of cultural factors:
It will be useful to consider cultural factors such as,
a.Language or terms used (usage of colloquial terms may be more effective),
b.Colour and design,
c.Characters represented
Retention measurement
“Retention measurement” indicates a method to measure how much the workforce has “understood and remembers” after the information security awareness delivery. Strategies that can be used are,
a.Personal interviews
b.Surveys
c.Quizzes
The following strategies can be used to measure security competence.
Observations: For example, observe for tailgating, observe how many meeting rooms still have sensitive information on the board after the meeting
Log review: For example, browsing and email patters can be observed through log reviews of corresponding systems
Data mining : For example, Mine through internet search engines to see how much sensitive information about the company is available online
Incident report review: For example, review of incident reports may show how many laptops were lost and a further investigation may reveal the cause as carelessness (poor behaviour) or not (may be the user was physically attacked).
Too much metrics is also not a good idea. Use the ones that you will give a good degree of confidence so that you can trust your findings. With a list of success metrics and the strategy to measure them you are now ready to move forward.
Catch you with my next post.
Anup Narayanan
