Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Perspectives: Security training must be a visual, interactive experience

Security awareness training exercises must be interactive and visually stimulating, and must help users judge the validity and reliability of websites and web content.

Infosecurity professionals must tailor security training for today's visually-based, text-limited society.

As I look around my office, a co-worker listens to his iPod, others trade games for their Xbox 360s, and at lunch, a Gen-Xer watches a movie on his PlayStation Portable. These daily events signal a quiet but powerful revolution in the way people experience information: We are drifting away from purely textual sources into a post-literate society, and IT security professionals need to adjust security training media accordingly.

In the Industrial Age, text was king. In today's post-industrial century, text yields to the visual: It shrinks to be tolerable and diminishes in its ability to clarify thought. Web pages are the mode of discourse, hyperlinking permits unparalleled lateral movement, and reading is reduced to scanning and surfing. Today's media must be savvy enough to keep readers interested while still providing valuable information.

Lengthy text continues to exist in legal documents, corporate annual reports, academic prose, and information security writing and training, often yielding page after page of dense, impenetrable wording.

An example: "Institutional attacks upon domain name servers are multi-dimensional, affecting enterprise systems and requiring cryptographic and split-horizon DNS technologies as a part of the incident response process." Instead, this would be the more direct wording for today's audience: "Understand-ing cryptography and how to design split-horizon domain name servers (DNSes) will help you investigate attacks."

Today's society prefers cruising through factoids and images, but that doesn't engender insight or knowledge. Fostering security awareness involves more than just pointing to Web sites. Whether it's through PowerPoint presentations or articles, IT security professionals need to formulate contemporary rhetoric:

  • Tell a story whenever possible with fresh, concise prose in the active voice. Illustrating with a narrative adds coherence to technical material; relating the specifics of circumventing a firewall, for example, takes the reader from an abstract theory to a story with concrete details.
  • Use graphics, illustrations and sidebars to amplify the text. Show the tricks of the charlatan's trade in cyberspace and in manipulating digital information. For example, if you discuss "phishing," show in a series of screenshots how the scam usurps a company's logo and other elements from its Web site.
  • Encourage a healthy skepticism toward electronic information. Readers need to develop skills for judging the validity and reliability of Web sites, e-mail and business opportunities.
  • Experiential learning dominates; play and experimentation uncover many security vulnerabilities. When teaching security professionals, show them that threat modeling (considering weaknesses in defenses from a rogue's perspective) and envisioning avenues of attack will help them stay ahead of emerging threats.
Ultimately, understanding the post-literate culture's impulse to explore will be the hallmark of 21st-century security thinking. It is essential for developing the skill and awareness needed for dealing with ever-evolving cyberthreats.

Article 12 of 15

Dig Deeper on Security Awareness Training and Internal Threats-Information

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All