December 19, 2012

Happy Birthday! Reaching a milestone...

This blog made it to the one year mark!

H-A-P-P-Y   B-I-R-T-H-D-A-Y!

While sitting in a public affairs briefing with my mind somewhere between day dreaming and wondering when the speaker was going to be done talking, I heard a line that stuck with me. Most blogs do not make it to the one year mark.

Admittedly, when I first started this blog, I had grand visions in my mind of how my readership would quickly swell and I would rake in big bucks from the site advertisements. Within the first month, I had nine posts with many more in draft form waiting to be published for my adoring fans. I was reading anything I could find on successful blogging and increasing readership. I was going to make a name for myself in the security field. I knew it!

Let me tell you that those fantasies crashed and burned big time. Life began to get in the way of my blogging success. Family, work, and eventually school began to interfere with my blog writing. My posting began to slowly dwindle down to only a couple of postings a month, to going a couple of months without a post. I was lucky if I got over 200 views in a month. The only comment I received the entire year on any of my postings was easily categorized as spam.
Thankfully, I have a steady paycheck from my non-blogging job, which allows me to attend to this blog as a hobby. As I mentioned in the "why this blog" post, the primary point of this blog was not to strike it rich, but to improve my skills. I hope my writing improved over the year. If not, I guess I will keep torturing you and other readers with another year's worth of posts! Here is to another year :)
Enhanced by Zemanta

Instagram Update!

Instagram is updating their updated terms of agreement, due to the recent cries from users and news outlets about them. This provides a great example of what happens when users push back against intrusive policies.

Instagram's recent blog post addressing the controversial changes to their terms, stated:

           "From the start, Instagram was created to become a business. Advertising is one of many ways that Instagram can become a self-sustaining business, but not the only one. Our intention in updating the terms was to communicate that we’d like to experiment with innovative advertising that feels appropriate on Instagram. Instead it was interpreted by many that we were going to sell your photos to others without any compensation. This is not true and it is our mistake that this language is confusing. To be clear: it is not our intention to sell your photos. We are working on updated language in the terms to make sure this is clear...The language we proposed also raised question about whether your photos can be part of an advertisement. We do not have plans for anything like this and because of that we’re going to remove the language that raised the question. Our main goal is to avoid things like advertising banners you see in other apps that would hurt the Instagram user experience. Instead, we want to create meaningful ways to help you discover new and interesting accounts and content while building a self-sustaining business at the same time."

You can read the entire post at:

December 18, 2012

Instagram Policy Changes

As part of their merger with the social media giant, Facebook, Instagram changed their user policy. In case you were not aware, Instagram is a quirky photo sharing platform that lets you add various filters and share with friends. Earlier this year, they were bought out by Facebook. The new terms are not in the users' favor and go into effect January 16, 2013.
Located in the "Rights" section of the updated terms: "Some or all of the Service may be supported by advertising revenue. To help us deliver interesting paid or sponsored content or promotions, you agree that a business or other entity may pay us to display your username, likeness, photos (along with any associated metadata), and/or actions you take, in connection with paid or sponsored content or promotions, without any compensation to you. If you are under the age of eighteen (18), or under any other applicable age of majority, you represent that at least one of your parents or legal guardians has also agreed to this provision (and the use of your name, likeness, username, and/or photos (along with any associated metadata)) on your behalf." 
Another way to say it is, we're going to make money off your stuff and you get nothing. But wait, there is more. The updated agreement also states "You acknowledge that we may not always identify paid services, sponsored content, or commercial communications as such." Certainly a fancy way of saying, we're not telling you when we're making money off of your stuff. 

You can read all terms for yourself at
All of a sudden that free cool app all of a sudden came with a price tag! Considering not many people read the terms of agreement before clicking "I agree," I wonder how many people will unwittingly provide their information and pictures for somebody else's profit. This certainly adds a new dimension to privacy concerns. The only way of getting out of these new terms is to delete your account and stop using their services. 

December 17, 2012

Creating Real Security Awareness: STEP 2

Identify your audience
After starting the first step in the security awareness cycle, it's time to continue on with the next step.

Step 2: Identify the Audience.

As with any briefing, article or other forms of communication, you need to identify the audience you are trying to target. Why? Because if you are going to have an effective security awareness program, your content must be engaging. To catch people's attention you must tailor your message to them. Prior to crafting that special message, you need to know who you are tailoring it to. Identifying your audience first, helps you later down the road. Trust me!

Now back to identifying the audience. As with all general security specialist, you probably want to target the workforce. Great! We narrowed the field down some. From here, break them down into groups and possibly further into sub-groups, for instance work groups (professional vs. entry level, administrative support vs. management), age (baby boomer vs. generation Y), and educational level. Keep in mind the mentioned groupings are only suggestions. There are a variety of grouping types; the only thing stopping you is your imagination. For example, in a school setting the different audience groups you have are teachers, students, administrators, support staff, and parents. Each group is distinctively different from the other. The next two parts of this step help you in defining your audience, which will help you in crafting a message that hits the target.

Defining the audience helps you in
crafting a message that hits the target
After identifying the audience groupings, research their communication preferences. For example, generation Y members are typically more comfortable with computer based instructions and social media, while baby boomer members typically prefer more face-to-face interactions and reading hard copy material. Identifying how the different groups communicate, allows you to focus efforts on communication platforms that provide a better return on your time. Additionally, you increase your chances of overcoming communication barriers.

Another part of defining your audience is looking at their interests. This becomes key in creating engaging material for your security awareness program. To illustrate my point, I will use a preschool classroom as a setting. When I had to teach a preschool Sunday School class, I had to look for material that would interest the class. Considering 12 out of the 16 kids in the class were energetic boys that wanted to play super heroes, I focused on activities that required movement and taught the lesson as heroes from the Bible. This approach not only caught their interest and preoccupied them, it helped them to remember the message. After all, when you're done running your security awareness campaign, you want your audience to remember the message.

Other articles in this series:
#1. Creating Real Security Awareness: Identify the requirement
Intro. Creating Real Security Awareness

December 4, 2012

Creating Real Security Awareness: Identify the requirement

Continuing from our initial create real security awareness post, we're breaking down the process. The most logical place to start is at step one, identifying the requirement.

Step One: Identify a requirement/need
What message is convyed?
Does anybody learn about

This step is the starting point and what helps you in focusing your awareness campaign. Okay, I admit, this is not the step where you get to let your creative juices flow, but you will later. Trust me! In order to develop a true awareness program, you must identify what you are raising awareness about.  Granted you want to raise people's awareness about security, but using a generalized approach achieves nothing. It's too broad!

You need to identify a specific requirement, which does not mean quoting some regulation. YAWN! Look at your organization, workforce, and customer base to see if they are lacking in needed security knowledge or complacent in their security responsibilities.
Some question you may want to ask.
Is there a recent change in security policy due to a change in threat? Do people understand why we have the security rules in place? Are there multiple security infractions? Do people know how or what to report? Can people easily find security information related to their job?

Eye catching and provides a
quick take away. People will
likely remember this policy.
I hate repeating myself. If you don't believe, go ask my kids. There are so many better things to be doing with my time than repeating something already said or done. At least that is how I feel. So when I get multiple phone calls from people asking the same question, I get frustrated, because I equate it to redoing work.  (Needless to say, I don't work in customer service) Besides my own personal annoyance, this also provides a clue that information people want to know is not readily available. In the security industry, this is also referred to as an indicator. An awareness campaign focused on providing wanted information gives the workforce the required information and reduces my phone call. Win-win in my book.

You could go through the extra work in conducting a survey across the workforce, but if we're truly honest with ourselves, I think we could come up with a couple of requirements. Personally, I keep an on-going list in a small notebook as issues arise while I perform my other duties. If you are actively engaged into your security program, you will never run out fodder for an awareness campaign with this approach.

Related articles
Enhanced by Zemanta

December 3, 2012

Creating Real Security Awareness

"Oh no! Not another PowerPoint Briefing!!"

Cheesy posters that provide nothing.
No indicators of reportable info.
No threat. 
Why bother?
If people scream this as they run out to the hallways to escape the mind numbing sensation your security awareness program invokes, it may be time to rethink your approach.

Throughout major corporations and government agencies, you may see cheesy security posters hanging in various locations. If you've been employed by these entities for any length of time, you've probably endured your fair share of  the annual security "death by PowerPoint" training that contained nothing more than security jargon and corny clip art. Unfortunately, some so called security practitioners call this a security awareness program.

Effective awareness is more than annual PowerPoint slides and posters.

Generic over generalization with no
valuable information. What are people
suppose to take away from this?
Earlier this year, Ira Winkler, a top security professional (read bio here), wrote that "awareness mitigates non-technical issues that technology can' will find that security awareness is one of the most reliable security measures available." (Winkler, 2012) An effective awareness program is a great return on investment, but it requires more than the obligatory annual PowerPoint security training and posters. In order for a security awareness program to be effective it must engage people and impart a message. I personally find explaining the reasons, otherwise known as the "why," behind established security rules help win over converts to the cause. Additionally providing real examples of the threat the rules were designed to protect against helps users see security from a different aspect.

While there may be different models out there, I use the following steps in creating a tailored awareness program. You can call it my awareness cycle.

1) Identify a requirement/need
2) Identify audience
3) Research
4) Develop a communication plan
5) Develop material
6) Execute
7) Evaluate

Then repeat as necessary. Upcoming posts will cover each of these steps in more depth. Stay tuned!
Enhanced by Zemanta