Creative content for continuous security awareness programs

NoticeBored delivers creative awareness materials in monthly modules covering a wide range of information security topics (more below). This innovative rolling approach means NoticeBored awareness programs are constantly refreshed with less chance of the materials becoming stale and boring.

Contrast this with the traditional “sheep dip” approach to security awareness - a sporadic lecture to the troops by an information security person, at once both tedious and pointless. We all know that most people don’t respond well to these forced sessions, and that they are often only used to satisfy the auditors. NoticeBored customers know that security awareness can be a much more creative, satisfying and cost-effective continuous process.

Month-by-month, the modules build into a comprehensive library of creative security awareness materials. We can optionally supply the entire back catalog of previously -delivered modules on DVD to get your awareness library and program off to a flying start.

Information security topic coverage

The complete portfolio of NoticeBored modules extends to around 30 different information security topics.  Most modules are refreshed/updated and reissued every three years or so with four core topics and the induction module being revised annually. The scope and contents of each module are derived from sources such as ISO/IEC 27001 and 27002, ITIL, COBIT, the Information Security Forum’s Standard of Good Practice, information security coverage in the professional news media and our own professional experience. Here is the current portfolio of modules:

1. Accountability and responsibility - examines and explains these two commonly misunderstood concepts in an information security context;
2. Authentication and login (core module) - everything from choosing strong passwords to smart cards, biometrics, identity theft and access control;
3. Awareness – our first module described security awareness tools and techniques. This module subsequently became the induction module;
4. Bugs! - errors in program specification, design, coding or configuration by software development professionals and end-users can create security vulnerabilities;
5. Change management - security aspects of IT-related changes including patching, testing and configuration management;
6. Compliance - fulfilling obligations under IT/information security-related laws, regulations, standards, policies, procedures and guidelines including issues such as copyright, privacy, ISO/IEC 27000-series, ITIL etc.
7. Computer auditing - understand what makes IT auditors tick, what they do and how to work with them most effectively;
8. Contingency planning - planning for success by preparing to cope with the worst - includes business continuity, resilience and disaster recovery;
9. Database security - securing large collections of valuable data against hackers, corruption, loss etc.;
10. Email security (core module) - risks relating to the receipt and sending of electronic mail including malware, defamation, phishing etc.;
11. Hacking - tips to counteract hackers, crackers, industrial spies, fraudsters, criminals and other adversaries;
12. Incident management - reacting to, containing, resolving and learning from information security incidents;
13. Information security management - roles, structure and reporting lines for the security management function and its relationships with others;
14. Information security risk management - explains the processes of analyzing and managing risks;
15. Insider threat - covering the security threats created by employees and others working in a similar capacity;
16. Identity theft - based on the authentication and password modules, this one focuses specifically on identity theft risks and controls;
17. IT governance - controlling and minimizing IT risks forms an integral and vital part of corporate governance;
18. IT-related fraud - phishing, identity theft and other forms of fraud committed using IT systems and networks;
19. Keeping secrets - all about keeping sensitive corporate and personal information confidential;
20. Malware (core module) - viruses, worms, Trojans, key loggers, spyware, rootkits and more;
21. Mobile and home working - information security considerations for road warriors & those working from home;
22. Network security - all manner of information security issues linked with networking in general and the Web and wireless networks in particular;
23. Network & systems management - processes for securely installing, configuring, monitoring and managing IT;
24. Office information security - a range of security topics associated with the average office or workplace;
25. Passwords & biometrics (core module) - presents advice to staff on choosing stronger passwords, coupled with advice to managers and IT on choosing better user authentication mechanisms;
26. Personal data protection and privacy - focuses specifically on protection and privacy issues relating to data about living individuals (Personally Identifiable Information or Personal Data);
27. Physical security - protecting the facilities against unauthorized access, fires, floods, overheating, power disturbance, lightning ...;
28. Secure software development - integrating security with the system lifecycle from specification and design through to testing and configuration;
29. Social engineering (core module) - the only practical way to tackle this threat is through genuine security awareness;
30. Third parties - information security issues resulting from the increasing interconnectedness of modern organizations;
31. Trade secrets - covering a spectrum of activities from competitive intelligence to information warfare.

Core awareness modules

The core modules covering malware, social engineering, email security and authentication/passwords are updated and re-issued annually. These are topics that practically all security awareness programs need to cover and are repeated more frequently than the others to remind employees of their obligations.  Various Internet/networking security topics are also covered quite frequently. If your organization needs a simple security awareness program, consider using just the core modules and skip the rest!

Other modules are delivered in the intervening months to build a broad level of security awareness. They are refreshed roughly every three years. 

Cross-referencing of related topics and consistency of the central information security messages (built around confidentiality, integrity and availability) brings a coherence to the NoticeBored awareness materials often lacking in other “awareness solutions”.

Induction module - a free bonus

The NoticeBored Classic induction module contains basic security awareness materials for use in new employee security induction courses or orientation training. This module can also be used to launch security awareness programs. It is provided as a free bonus module to welcome new customers when they sign up for NoticeBored.

What is a “module” anyway?

Modules are compressed ZIP files of about 20-60 Mb, containing around twenty different types of security awareness item. Each module is consistently styled and themed around one topical information security issue per month. Modules are listed on the diary page (click the folder icons to see the content of any previously-issued module) and all of them are included in our back catalog.

The awareness materials themselves are mostly Microsoft Word, PowerPoint and Visio files, plus .JPG images. We supply fully-editable files so that customers can adapt the wording to suit their specific requirements, for example providing contact details for the Information Security Manager or equivalent, referencing corporate policies etc. Customers are welcome to cut-and-paste the supplied content to supplement existing awareness and training materials including Learning Management Systems (such as SecureAware).

Keep up with recent information security incidents and emerging risks through NoticeBored

All our modules include topical information security news clippings and references, highlighting and expanding upon stories that employees will probably have seen in the general news media. The monthly delivery cycle and flexible delivery schedule give us a significant advantage over more traditional awareness products: NoticeBored picks up on information security risks as they emerge. Whereas most competitors deliver annually, NoticeBored keeps up with current trends.

While we can only cover incidents that are in the public domain, we encourage customers to incorporate information about actual incidents within their organizations into their awareness programs. This is one good reason why we provide editable files - what better way to bring the security message home to employees than to make them appreciate that security breaches are happening around them?

Take a good look at the NoticeBored Classic samples to see exactly what you’ll be getting for your money.