Infosecurity professionals must tailor security training for today's visually-based, text-limited society.
As I look around my office, a co-worker listens to his iPod, others trade games for their Xbox 360s, and at lunch, a Gen-Xer watches a movie on his PlayStation Portable. These daily events signal a quiet but powerful revolution in the way people experience information: We are drifting away from purely textual sources into a post-literate society, and IT security professionals need to adjust security training media accordingly.
In the Industrial Age, text was king. In today's post-industrial century, text yields to the visual: It shrinks to be tolerable and diminishes in its ability to clarify thought. Web pages are the mode of discourse, hyperlinking permits unparalleled lateral movement, and reading is reduced to scanning and surfing. Today's media must be savvy enough to keep readers interested while still providing valuable information.
Lengthy text continues to exist in legal documents, corporate annual reports, academic prose, and information security writing and training, often yielding page after page of dense, impenetrable wording.
An example: "Institutional attacks upon domain name servers are multi-dimensional, affecting enterprise systems and requiring cryptographic and split-horizon DNS technologies as a part of the incident response process." Instead, this would be the more direct wording for today's audience: "Understand-ing cryptography and how to design split-horizon domain name servers (DNSes) will help you investigate attacks."
Today's society prefers cruising through factoids and images, but that doesn't engender insight or knowledge. Fostering security awareness involves more than just pointing to Web sites. Whether it's through PowerPoint presentations or articles, IT security professionals need to formulate contemporary rhetoric:
- Tell a story whenever possible with fresh, concise prose in the active voice. Illustrating with a narrative adds coherence to technical material; relating the specifics of circumventing a firewall, for example, takes the reader from an abstract theory to a story with concrete details.
- Use graphics, illustrations and sidebars to amplify the text. Show the tricks of the charlatan's trade in cyberspace and in manipulating digital information. For example, if you discuss "phishing," show in a series of screenshots how the scam usurps a company's logo and other elements from its Web site.
- Encourage a healthy skepticism toward electronic information. Readers need to develop skills for judging the validity and reliability of Web sites, e-mail and business opportunities.
- Experiential learning dominates; play and experimentation uncover many security vulnerabilities. When teaching security professionals, show them that threat modeling (considering weaknesses in defenses from a rogue's perspective) and envisioning avenues of attack will help them stay ahead of emerging threats.