« Security Awareness Series: Part Two – Setting Goals for Your Awareness Program
Security Awareness Series: Part Four – Leveraging Corporate Culture »
h1

Security Awareness Series: Part Three – Choosing Topics

July 29, 2010

If you and I were to each list ten awareness topics on separate pieces of paper chances are most of those would be the same. To illustrate, grab a piece of paper and list ten topics. Then continue reading…

Here are ten topics off the top of my head. How many match yours?

  • passwords
  • malware
  • phishing
  • social engineering
  • laptop security
  • strangers on site
  • clear desktops
  • USB Security
  • encryption
  • data classification

The truth is it is easy to come up with information security awareness topics. The hard part is coming up with topics that are relevant to your organisation.

So, base your topics on drivers that already exist. Not a list like you’ve just written, but clear and present needs. For example:

Audit points – Responding to audit points will not only satisfy the auditors, but will make you look like a security superstar to the powers that be (well at least a competent and co-operative employee) and maybe will even address some genuine security risk.

New policies – Whenever a new security policy is introduced an awareness campaign should accompany it. After all, the best policy will be little more than scrap paper if no one understands it or even knows of its existence.

Existing policies – People need reminding. It’s a fact of life. While the existence of policies that make sense will stick in people’s minds, the details may not. For example everyone knows that they should choose good passwords, but do they know what constitutes a good password as per your policy?

The Information Security team itself – You’re no doubt part of a customer focused, client centered, professional team which is always on hand to answer security related questions from any employee (or at least you should be). Just letting people know you are there will help to raise the profile of security in the minds of your audience.

Incident metrics – Depending on how good your visibility of actual security incidents is, you should of course be using this information to drive topics too.  From experience that visibility isn’t always there so it can be easy to rely on exaggerated media reports or releases from product vendors.  Be careful using this data in your campaigns. Overstating the problem can lead to message fatigue.  To counter this, always provide a solution to the issue you’re covering. Your campaigns will then be remembered for being useful and not just FUD.

What this all boils down to is that your topics need to be relevant. The best clear desktop campaign is pointless if your organisation has no clear desktop policy. In reality you will cover some of the topics from the bulleted list above. When you do, put them into the context of your organisation. The next post will discuss how this is done.

Advertisement

Posted in All Posts | Tagged , , , , , |

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.