question
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 1/60
12
Effective Security Communications
The meeting of two personalities is like the contact of two chemical sub-
stances: if there is any reaction, both are transformed.
Carl Gustav Jung, 1875–1961
Why a Chapter Dedicated to Security Communications?
If the phrase security communications conjures thoughts of the network,
protocols, blocking, terminating communications, ensuring messages get
from point A to point B intact, and must be available 24/7, you are correct.
However, the topic is not about computer communications but rather hu-
man communications. Information security governance depends upon
humans to deliver the right message to the right individuals at the right
time in the right manner for the messages to be heard and acted upon.
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 2/60
Imagine for a moment that the information security department cre-
ates a plethora of security policies representing the equivalent of creating
the Mona Lisa to an artist or creating a team of athletes that wins the
Super Bowl. Imagine then that what would have happened if no one had
ever seen the Mona Lisa that was stored in an attic or the team that was
capable of winning the Super Bowl never showed up for its games? A sim-
ilar fate can fall upon the information security program if information se-
curity policies, ideas, and initiatives are not properly communicated.
True information security governance may look good on paper, with poli-
cies drafted and technical solutions appearing to be in place, but if these
are not communicated properly, security governance is really not
occurring.
Security communication takes on many forms such as the publishing of
information security policies, selling the next information investment to
management, explaining the current status of security audit issues to the
board of directors, crafting security e-mail messages of the latest security
concerns, or simply having a conversation about a security issue with a
security colleague or business unit manager. It should be clear that every
communication by every individual associated with the information secu-
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 3/60
rity team has the potential to either (a) provide increased credibility and
support to the information security program or (b) cause the information
security area to be viewed as a roadblock or lessen trust that the security
group has the organization’s best interests front and center.
Communication skills are constantly evaluated as we are growing up—
from formal penmanship, written communication skills, listening skills,
plays well with others, and speaks up when called upon as a child to the
formal performance reviews where written and oral communication skill
competencies are evaluated on an annual basis. The continuous evalua-
tion of these skills indicates the importance of them. After all, how effec-
tive can we be in the workplace if we cannot effectively communicate
with others? Hence, due to this importance, this chapter is dedicated to-
ward how security professionals can improve their communication skills
to convey the appropriate security messages throughout the organization.
Different aspects of communication are explored and by understanding
the different communication styles that are occurring within the com-
pany, the security executive and professional can be more effective in
constructing and delivering the appropriate message.
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 4/60
End User Security Awareness Training
One of the debates over the past decade has been whether information
security awareness training has been effective. Much of this concern is
generally started from an analysis of the number of security incidents in
a given year and then concluding whether the end users were receiving
the message and acting in a secure manner in their day-to-day jobs. The
conclusion then usually suggests that technical controls need to be imple-
mented to take out the risk of “human error.” Unfortunately, these con-
clusions are made without the benefit of a scientifically controlled experi-
ment, whereby the “test group” of users of the same organization re-
ceived no security awareness training were evaluated against a “control
group” in order to determine whether there would have been more or
fewer incidents experienced by the control group. Obviously, technical
controls are very important to the information security program, and are
necessary to address the aspects such as antivirus, encryption, firewalls,
security mechanisms, physical security, authentication, and monitoring,
but given that technical controls cannot fully address the end-user behav-
iors, security awareness training must be in place to reduce the risk.
Information also comes in nontechnical forms (oral and paper docu-
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 5/60
ments) that cannot be secured by technical means or without the dili-
gence and assistance of the end user. For example, a policy may state that
all documents transported between the office and home need to be trans-
ported in a locked container. If the end user is not aware of the policy or
does not understand the rationale for the policy, she might decide it is not
necessary and not place the documents in a locked box. Alternatively, an
individual may load boxes of documents in his car in the wintertime,
leaving the engine running to keep it warm while hr runs back into the
house to retrieve more boxes for loading. Meanwhile, the end user may
be taking an increased risk that the car will be stolen and the confidential
documents exposed. Since there are no technical controls to prevent this
(other than the end user locking the door in between trips), security
needs to be continuously reinforced with the end user to reduce the risk
of this type of error.
Awareness Definition
Security awareness training is different from security training. The
National Institute of Standards and Technology Special Publication 800-
50: Building an Information Security Technology Security Awareness and
Training Program (NIST, 2003) provides the following definition:
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 6/60
Awareness is not training. The purpose of awareness presentations is simply
to focus attention on security. Awareness presentations are intended to allow
individuals to recognize IT security concerns and respond accordingly. In
awareness activities, the learner is the recipient of information, whereas the
learner in a training environment has a more active role. Awareness relies on
reaching broad audiences with attractive packaging techniques. Training is
more formal, having a goal of building knowledge and skills to facilitate job
performance.
In short, the basic objective of security awareness training is to (1) pro-
vide enough information to the end users as to what they and others
should and should not do and recognize what would constitute a security
incident, and (2) know what they should do if they recognize or suspect
that a security incident has occurred. If these two objectives have been
met, then the information security awareness program has been
successful.
Delivering the Message
Information security programs fall short of the message when the secu-
rity message is not crafted in a manner that grabs the end users’ attention
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 7/60
or fails to provide them with the necessary information. Let’s face it,
many security people progressed to higher levels within the organization
due to their technical abilities, not based upon their communication or
marketing skills. Providing information security awareness is essentially
marketing—inducing the recipient of the message to buy something (in
this case buy into) what they ordinarily may not have thought to buy on
their own. Savvy marketers craft the message not in pages of boring tech-
nical, jargon-filled presentations, but rather in short, high-impact, sound-
bite type messages that grab our attention and are retained. Security pro-
fessionals must do the same. The following seven steps, adapted from
NIST security awareness guidance, provide a process for delivering an ef-
fective information security program.
Step 1: Security Awareness Needs Assessment
Assessing security awareness is often an overlooked step when first im-
plementing a security awareness program. Without knowing where the
highest risk areas or areas that have been causing the most incidents are,
valuable time with the end users could be wasted. The needs can be de-
termined from multiple sources, as described next.
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 8/60
New or Changed Policies If the organization is rolling out a new iden-
tity management system or a new incident reporting process, this may be
a good time to explain how this will work. Or a new law or regulation
could mandate new reporting requirements that would need to be
communicated.
Past Security Incidents Past breaches can provide a wealth of informa-
tion from which to construct the security awareness program. These are
also very useful in obtaining the end users’ attention, as it demonstrates
that security issues are occurring within their organization versus a theo-
retical concept that “this could happen.” It also reduces the likelihood that
the end user will think that the security department is sensationalizing
the news. Care should be taken when presenting actual incidents within
the company that it is not possible for the end users to deduce the person
or in which department that the individual was working. This could
cause some ethical and legal issues in disclosing personal human re-
source issues. The objective is to explain the incident so that the same
type of incident does not reoccur through someone else’s behavior.
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 9/60
Incidents of the same type that have a high number of occurrences would
be excellent candidates for targeted security awareness training.
Systems Security Plans Systems security plans (SSPs) document the cur-
rent state of an information security system and can take the form of a
major application (MA) or general support system (GSS). Since these plans
define the overall business objective of the system, the infrastructure,
and the managerial, technical, and operational controls required to sup-
port the system, these documents can provide excellent sources of the
types of information that needs to be shared with the end users. For ex-
ample, if there are many business partners that are part of the infrastruc-
ture, the end users may need to be made aware of which email communi-
cations are secure or what is permissible to discuss with the business
partner due to intellectual property rights that are defined in the systems
security plan.
Audit Findings and Recommendations If there are recurring audit is-
sues that have not been mitigated, these should be included in the secu-
rity awareness training. Since auditors cannot audit 100% of everything,
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 10/60
samples are taken that represent a statistical significance if an issue is
found. The issues found may or may not have occurred across every de-
partment; however, that does not mean that the issue is not broader than
the audit issue found. For example, the auditors may pull a sample of
policies and procedures and determine that they have not been updated
on an annual basis for a couple of departments. Odds are, just as when a
pest exterminator sees one mouse, there are likely to be many more, so is
it likely that other areas have not been following the process of annual
updates. Typically these are issues of security governance across the orga-
nization; the tone at the top has not made this a priority or there have not
been the processes in place to monitor and ensure this is completed on an
annual basis. Repeat audit issues should always be addressed either to a
targeted group or broadly across the organization, depending upon the
issue.
Event Analysis Similar to security incidents, event analysis of the moni-
toring logs can highlight areas of concern. These are likely to evolve into
targeted training more than security awareness training. For example,
logs indicating that firewall vulnerability is repeatedly being exploited by
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 11/60
external hackers may indicate the need to train the network group on de-
vice configurations.
Industry Trends Introduction of new technology into the marketplace
can provide a rich source for discussion. Discussing the use of social me-
dia in the workplace, such as Facebook, LinkedIn, or Myspace will pro-
vide relevant discussion of issues that most end users can relate to.
Alternatively a discussion of the use (or nonuse) of personal e-mail and
the acceptable use policy to govern appropriate Internet behavior will be
of interest to the end users. The security officer has to keep abreast of the
current industry trends to ensure that the risks are mitigated, as new
technologies are often released first and then security controls are added
second. The reality of this situation is that products are usually in a race
to become the first to capture market share and may not have imple-
mented the necessary security controls. As an example, consider the evo-
lution of the Windows operating system and how it took almost nine re-
leases over a period of more than two decades to build-in many of the se-
curity concepts that are expected today.
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 12/60
Management Concerns Managers should be polled to determine what
issues they are aware of that need more focus. They may be concerned
with documents not being properly disposed or laptops not being put
away at the end of the day or securely transported.
Organizational Changes After reorganizations, employees are often-
times reporting to a new manager that may operate differently. This is a
good time to reinforce the security concepts. Locations may have closed
during the reorganizations or whole departments eliminated, thus creat-
ing potential changes in the security procedures.
Step 2: Program Design
Communications can either happen through the best intentions or be de-
signed. By approaching the security awareness program as something
that must be designed, the chances of leaving out critical components are
lessened. A car would not be produced without a design; a TV show
would not be delivered without a script to guide the flow of the contents.
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 13/60
Target Audience A cliche in providing presentations is to know your au-
dience. The security awareness presentation delivered to a group of air-
line mechanics may be different than to a group of customer service rep-
resentatives. The analogies or stories used in the presentation to connect
with the audience may be different. For example, relating the informa-
tion security concepts of physical protection to ensure that no unautho-
rized people are in the hangar that could cause loss of life by tampering
with the airplane engine parts may be effective with the airline mechan-
ics. The customer service representatives may relate to the importance of
verifying the caller with identifying information so as to not release con-
fidential information to the wrong person. Alternatively, talking about
sending faxes to the wrong healthcare provider would have little rele-
vance to the airline mechanics.
Frequency of Sessions Security awareness training should be per-
formed minimally once a year and preferably during a time in the busi-
ness cycle that will not cause an increased burden in meeting the com-
pany objectives. For example, having a training session for a group of ac-
countants at fiscal yearend or right before tax season would not be wel-
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 14/60
comed. If face-to-face sessions are used, scheduling of the sessions needs
to be planned so that there is ample time for individuals to plan the train-
ing into their schedules.
Number of Users Face-to-face sessions work best when the number is
kept to 30 or less. A group of this size allows for interaction and more ex-
change of information between the participants. Schedules should be
drawn up 6 to 8 weeks in advance of the training to ensure the greatest
attendance and to obtain the appropriate facilities.
Method of Delivery Face-to-face sessions work best, however, these are
also time consuming, as multiple sessions are needed to cover the work-
force in groups of 25 to 30 people. The security officer and his staff have
to dedicate significant resources to this task, especially if the associates
are spread out across multiple locations. As a result of cost reductions,
some security departments have gravitated to online learning manage-
ment systems to deliver PowerPoint-type contact to the end user. The dif-
ficulty with this approach is that users may simply click through the ma-
terial without providing their full attention, which is much harder to do
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 15/60
in an interactive security awareness session. Even though quizzes can be
incorporated into the material to determine whether the end user was
paying attention, it is difficult to ascertain if the end user was truly en-
gaged. The more engaged the participants in the learning process, the
greater the likelihood that the material will be retained.
Resources Required The labor, materials, locations, and budget re-
quired for the program need to be reviewed. At this stage the full costs
may not be known, however, the budget parameters should be deter-
mined. It would not be unreasonable to spend 1% to 2% of the informa-
tion security budget on security awareness training and a greater per-
centage on a small budget.
Step 3: Develop Scope
The security awareness program must be scoped or there is a risk that the
message will be lost in delivering the training. Scoping utilizes the needs
assessment captured in step 1 and determines what topics are provided.
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 16/60
Determine Participants Needing Training Once the scope of the train-
ing has been initially defined, the population that is required to attend or
participate in the training needs to be defined. Depending upon the com-
pany desire or the law or regulation, all employees, including contractors
requiring systems access may be subject to the training. If a subcontrac-
tor relationship exists with another firm that is performing work on the
organization’s behalf, then it should be determined whether the subcon-
tractor should provide its own security awareness training (as the sub-
contractors are employees or contracted to that firm) or should the com-
pany that hired the subcontractor require the security awareness training
provided to its own employees.
New hires present a special situation that must be addressed. The orga-
nization may require annual refresher training for the existing employ-
ees and contractors, but the new hires also need the security awareness
training from day one. New hires should not be allowed access to the sys-
tem until they have had some form of security awareness training. One
technique that is very effective is to have the hiring manager provide se-
curity awareness training to the employee (e.g., in the form of a
PowerPoint presentation); have the employee sign an attestation that they
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 17/60
have read the security requirements, understand them, and will abide by
them; and have the manager fax or e-mail the signed copy to the security
administration or access management department or whichever depart-
ment is responsible for account establishment. Once the fax or e-mail is
received, then the department can release the login ID and password to
the manager to provide to the employee. The employee would then log on
and change the onetime password. In this manner, the new hire has the
appropriate on-boarding security awareness training that may not line
up with the scheduled annual awareness training, which they would take
during the next cycle with everyone else.
Business Units Security awareness training is generally developed for
the current cycle (i.e., annual training) and provided to everyone in the
organization. However, there may be special situations where the train-
ing is customized to a particular department because of different
concerns.
Select Theme One of the most important aspects in designing a security
awareness program is to select a theme for the training. A list of themes is
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 18/60
shown in Table 12.1. This helps to focus the training around a subject and
keeps the scope from drifting. Selecting a theme does not limit the cre-
ativeness of the training, but rather permits the designer to build the pro-
gram around a common concept while introducing other security-related
items into the program. For example, while constructing a security
awareness training program using the theme “Internet and E-mail
Security,” the concepts of antivirus, confidentiality, non-sharing of pass-
words, encryption, phishing, and website malware can be introduced into
the training.
Table 12.1 Security Awareness Themes
Appropriate
Internet usage
Viruses, worms,
Trojans,
malicious code
Spyware Phishing attacks
E-mail security Identity Theft Confidentiality,
information
sensitivity
Spam
Social engineering Incidents and
incident
Shoulder surfing Government
regulations
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 19/60
response
Wireless security Tablet
computing
Smartphones Laptop security
Copyright
protections and
licensing
Need-to-know
access
Individual
security
responsibility
Password
management
E-mail etiquette Clean desk
policy
Home network
usage
Protecting
yourself and
your company in
a disaster
Handling of
protected health
information or
credit card data
Latest
information
security events
in the news
What is risk? Obtaining access
to information
The common mistake is that the fire hose method of security awareness
education is used, and all possible aspects of security are communicated
during a 1 to 2 hour presentation or during a webinar. The end users eyes
glaze over and little is retained other than “be sure to not let someone
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 20/60
piggyback behind you when walking in the building” or “hit CTL-ALT-
DELETE and Lock when stepping away from the computer.” The themed
approach avoids this scenario.
Step 4: Content Development
Once the theme is chosen for the security awareness training, the content
should be developed to be as impactful as possible to achieve the highest
retention rate after training. Face-to-face training affords the ability to
combine video, music, props, and attendee interaction to create an unfor-
gettable learning environment (versus the two-dimensional Internet
training delivery mechanisms). Game shows, use of online videos, and in-
teractive skits to grab the participants’ attention work very well. Once the
security awareness training grabs attendees’ attention, it is not uncom-
mon to see that people enjoy coming to the sessions and are the first ones
to sign up in subsequent years.
Security awareness should be fun! One of the first places to start to
build the security training session is to go to the toy store and the party
store to buy some toys. As silly as this may sound, when people walk into
the room feeling like they are about to play a game, their mood changes
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 21/60
from “Is this going to be another boring security PowerPoint presenta-
tion?” to one of “Hey, this looks like fun!” Their curiosity takes over and
as a result, they are more likely to pay attention.
Security is a serious subject, but that does not mean that it has to be
presented that way to be impactful. If the security professional is uncom-
fortable with giving presentations that appear silly or humorous, then an-
other possibility is to enlist someone from corporate communications or
marketing for support. Imagine being in the place of the end user that is
required to attend mandatory awareness training. Programs should be
constructed in such a manner that the end-user wants to attend the secu-
rity awareness training.
Step 5: Communication and Logistics Plan
A one-page slide announcing the theme of the program should be devel-
oped as well as posters indicating the dates of the program. If multiple lo-
cations are part of the program, the poster could look something analo-
gous to rock concert tour dates to generate interest.
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 22/60
E-mails to the end users at least 1 month prior to the awareness session
should be mailed, along with follow-up reminders at 2- and 1-week inter-
vals. People are often very busy and may appreciate the e-mail reminders
to sign up for the awareness session. Provisions for make-up signups
should also be planned by scheduling one or two make-up sessions after
the regular sessions have concluded. The e-mail reminders should stress
promptness in attending the sessions.
Each location should have signup sheets for the session to ensure that
sessions are appropriately filled and do not exceed the size of the room. A
good rule of thumb is to only have enough signups for five less than the
capacity of the session. For example, if the room will comfortably seat 30
people in the session, then permit 25 to sign up. Why? Because there will
always be some individuals that will add their names below the line ex-
ceeding the capacity. This can cause problems if tables and exercises were
set up for a group size of 25, but 30 show up. By planning for a maximum
of 30 people, and allowing 25 to sign up with a 5-person contingency,
there would be no problem if 30 people showed up.
Travel arrangements to the various sites are also determined in this
step, making reservations at least 30 to 60 days in advance to reduce the
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 23/60
costs of the program.
Step 6: Awareness Delivery
Details at this stage are very critical, as the security awareness session
should be managed as a production with contingencies for items that may
go wrong. The trainer should arrive at the room location at least 1 hour
before the start of the session so that the room can be set up in advance
of people arriving for the first session. Items such as visual props, table
arrangements, candy or food, evaluation sheets, and presentation copies
need to be arranged around the room. The LCD projector and computer
need to be tested to ensure the video, audio, and presentation operation
are working correctly.
Sessions should be no more than 1 hour, as the attention span starts to
fade after 45 to 60 minutes. Sessions should also be scheduled 30 minutes
apart to allow for (a) those individuals that arrive early to “get a good
seat,” (b) those individuals that stay after the last session to ask one-on-
one questions, and (c) set up for the next session. The trainer should be
available at the start of each session to greet each person as they enter
the room, and if the trainer is still running around setting up tables, pro-
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 24/60
jectors, and props, he or she will not be available. Greeting each person
helps to make the program personable and starts the connection process,
which increases the likelihood the individual will pay more attention.
The delivery should be scripted, but be spontaneous at the same time.
Each subsequent delivery can incorporate what worked and remove
what did not work in the prior sessions.
Sessions should start 5 minutes after the posted start time of the session
and end 5 minutes prior to the end. Starting 5 minutes into the session ac-
counts for the latecomers that would miss the start of the session. In high
school, students have 5 minutes to get to their next class, but once people
get into the work world, they are faced with back-to-back meetings with
no built-in travel time. Ending 5 minutes early provides time for them to
fill out the evaluations.
Step 7: Evaluation/Feedback Loops
Evaluations provide insight into what is and is not working with the secu-
rity awareness program. The quality adage “If you can’t measure it, you
can’t improve it” applies to information security as well. Did the end
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 25/60
users enjoy the training? Did they learn what was expected? Was there
anything that could have been improved (content, logistics, delivery, un-
derstanding, etc.)?
One method that is highly successful is to provide a trade of sorts, or an
exchange, at the door as the attendees are leaving, exchanging a security
trinket for an evaluation. They may place the evaluation facedown in the
chair, but they do not receive the trinket unless they provide an evalua-
tion. A small percentage will be blank; however this technique usually re-
sults in 95% to 100% return of the evaluations.
The evaluations can then be tracked in a database by location, and as-
sessments of the training can be performed. Numerical scores are tabu-
lated (e.g., 4 out of 5 on a 5-point scale) and open-ended question re-
sponses are recorded. Quizzes several months after the training can be is-
sued to determine whether the preceding training was effective.
Security Awareness Training Does Not Have to Be Boring
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 26/60
By injecting some creativity into the security awareness program, the
training can be fun for the participants and fun for the creators. As a side
benefit, engaging security professionals where this is not their daily role
can broaden their own interpersonal and communication skills. The ap-
proach demonstrated in the aforementioned seven steps aides in the un-
derstanding and retention of the security message, which is the primary
goal of creating a fun security awareness program.
Targeted Security Training
Security awareness training provides the broad security training that is
sufficient for most of the organization. However, to ensure that the
proper skills are retained by the organization to carry out the implemen-
tation of the security policies, targeted training needs to be developed for
certain groups, primarily those individuals managing others and those
who are directly involved in an information security function.
Security administrators need targeted training in areas such as
Microsoft Active Directory, Resource Access Control Facility (RACF),
Access Control Facility (AC2), and UNIX administration to be able to set up
and administer accounts correctly. Depending upon the level of the staff
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 27/60
and the expectations, the depth of the training may vary. For example, the
security administrator that is setting up accounts may need training on
how to use the identity management system but not necessarily the tech-
nical details of Active Directory. On the other hand, the security analyst
who is responsible for building automated queries and processes may
need a seminar in Active Directory. Information security governance can-
not occur if individuals are not competent within their assigned jobs. This
does not mean that everyone needs the 5-day class, where a PowerPoint
or 2-hour hands-on training session may suffice.
Managers of employees and contractors typically require additional
training, usually an hour or less PowerPoint or learning management sys-
tem-type course to address issues such as access authorization using the
identity management system and the handling on on-boarding and termi-
nations. During the on-boarding process, security awareness training, en-
suring that background checks are completed, and providing the new
hires initial access are subjects that may be covered. When the employee
or contractor is terminated, the manager usually has some responsibility
to enter information into the system and collect physical property such as
badges, credit cards, laptops, and tokens. Communicating these require-
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 28/60
ments through training can reduce the risk that these activities are not
occurring and increasing the exposure to the systems after the employee
leaves the company.
There are also specialized types of training depending upon the depart-
ment that may need to occur, such as training of the handling of a cus-
tomer care application, data center operations, and emergency response
training. Not everyone in the organization would need to do what is re-
quired in the event of an emergency in the data center, such as a fire,
however, the computer operators would need to know what to do to pro-
tect the data center and minimize the loss as well as how to safely
evacuate.
Continuous Security Reminders
A daily e-mail from the help desk explaining the latest security incident
would cause most users to set up an e-mail filter to move this type of e-
mail to the delete bucket. A balance of the security message must be
achieved whereby when the users see an information security message,
they are likely to read it and act upon it accordingly.
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 29/60
E-mails of the latest incidents as applied to the organization can be very
beneficial, especially if employees can relate to the issues in their own
home environment. The breach involving Epsilon in 2011 where there
was an exposure to the e-mail accounts of millions of customers to firms
such as Chase, Citigroup, and Verizon, caused e-mail messages to be
spammed and appeared to be coming from these organizations. This rep-
resented a great opportunity for organizations to communicate what was
occurring and educate the end users about protecting their accounts.
Since this occurred to many users as part of their personal computer in-
volvement outside of work, this also has a side benefit of demonstrating
the organization’s caring for the associate. These opportunities should be
leveraged, which increase the likelihood of compliance to the security
policies.
Utilize Multiple Security Awareness Vehicles
The potential avenues for security communication can fill a book by
themselves. Some of the avenues for communication include
Company newsletters
Posters
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 30/60
Learning management system online presentations
Brown bag lunches
Links on corporate intranet sites
Weekly e-mails
Logon page or scrolling marquee messages
Hosting a “security day”
Monthly, short three- to five-page presentations
Online quizzes
Online “scavenger hunts”
Security contests
Each of these methods should be considered as supplemental to the
classroom-type training that is delivered face-to-face in person annually.
Posters should also be used sparingly and typically in support of a spe-
cific security awareness campaign. Posters that utilize slogans tend to
have limited lasting power beyond the campaign period. Posters can
serve as a great advertisement for ongoing online training or classroom
training, but by themselves have limited value. If posters are used, care
should be taken to track where the posters have been displayed so that
they can be removed in a timely manner. The messages should be impact-
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 31/60
ful and address different security concerns beyond the “don’t share your
password” type of message. Relating the security message back to how
implementing security controls serves to protect the information for the
customers that entrust their information to us can be very impactful.
Security Officer Communication Skills
As discussed in Chapter 3 on Defining the Security Management
Organization and also in Chapter 4 on Interacting with the C-Suite, the
security officer must be able to interact with multiple levels of manage-
ment. Oftentimes when employees respond to the first survey that an or-
ganization issues on employee satisfaction, a frequent issue that surfaces
is lack of communication. What does this really mean? That the associate
did not feel listened to? That their ideas were not acted upon? That there
was not an avenue to provide input? That the manager or supervisor was
not sharing relevant news in a timely manner? It could be any one or
more of those items or something else.
The security officer must be able to communicate with individuals in
different levels of the organizational hierarchy, from the board of direc-
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 32/60
tors to the end users and everywhere in between. There are different per-
sonalities that must be communicated with, different styles of working
and different ways that people deliver, receive, and process information.
The subsequent techniques can improve the ability of the security officer
or any security professional to communicate with others.
Talking versus Listening
Many people appear to believe that they are best communicating when
they are talking, however, when we are listening and the other person
feels that he or she has been heard, our ability to communicate is much
greater. Unfortunately, we block ourselves from effective listening by not
paying full attention to the person speaking. Those who are good listeners
tend to draw other people to them; people confide in them and they be-
come a trusted member of the team. By not listening, it sends the message
that what they have to say is not very important. Critical information is
then missed and opportunities to demonstrate that the person is cared
about is also missed. True listening involves providing our full attention.
Roadblocks to Effective Listening
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 33/60
There are 12 roadblocks that get in our way of effective listening, that
make it hard for us to truly listen to what the other person is saying
(McKay, 1995). Because listening is so crucial in communications, we
should continuously be aware of our behavior when another person is
speaking.
1. Comparing—While the other person is talking, you are trying to deter-
mine if you have had that situation before, and was it worse or not.
They may be talking about an issue that you have had before, and the
thought is running though your mind, “Hey, it isn’t that tough to com-
plete that, why are they having a problem.” By comparing, it is difficult
to listen to what their problem is, as the mind is busy analyzing our
own past experiences.
2. Mind reading—Instead of focusing on what the person is saying, the lis-
tener is focused on trying to understand the meaning behind what they
are saying and interpret what different situation is driving the com-
ments. For example, they may be saying “I have worked long hours to
review these security violation reports, and I am tired of reworking
them,” while the listener is thinking, “Oh, they just had a long day be-
cause they are going to school in the evenings and are probably just
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 34/60
tired.” This may not be the case at all, and in fact the real issue is that
the rework is preventing other work from being performed.
3. Rehearsing—The mind is too busy thinking of what the listener will say
next, that they are not focusing on the message that is being delivered.
In this case, the listener “appears” to be interested in what is being
said.
4. Filtering—The listener listens just long enough to hear whether the per-
son is angry, unhappy, or in danger. Once the emotion is determined,
then the listening stops and focuses on other activities or plans that the
person is thinking about. The listener only hears half of what is being
said.
5. Judging—Judging occurs when someone is prejudged before they even
start talking. A negative label is placed on the person who devalues
what they may have to say. If the person is seen as unqualified, incom-
petent, or lacking necessary skills by the listener, they may discount
what they have to say. This causes insights to be missed that could pro-
vide valuable insight to the solution.
6. Dreaming—When the talker mentions a thought that causes you to
think of something in your own life that is unrelated to what they are
saying, this is dreaming. They may be talking about what happens if
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 35/60
the contract that the company is bidding on is not won, what will hap-
pen to the security staffing levels, but before they get to ask the ques-
tions, your mind has drifted off to the last company that you worked
for that lost a huge contract and how you hated going through the re-
duction in force motions with your staff.
7. Identifying—Similar to dreaming, in this case every thing the person is
telling gets related back by the listener to an experience in their own
life. This is commonly shown when people are talking about a situation
and then a similar situation is parroted back from the listener’s life.
8. Advising—In this scenario, the listener is too busy thinking of the solu-
tion to the problem from the first few sound bites that they miss impor-
tant information or fail to pickup on how the listener is feeling.
9. Sparring—Quickly disagreeing by the listener causes the listener to
search for items to disagree with. This can take the form of a put-down
where the talker does not feel listened to and possibly humiliated.
10. Being right—This person will go to great lengths to demonstrate that
they are right, including standing by their convictions, not listening to
criticism, making excuses, shouting, and twisting the facts.
11. Derailing—The conversation is ended by changing the subject and
avoiding the conflict. This is sometimes done by joking to avoid the dis-
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 36/60
comfort of having to discuss the subject.
12. Placating—The listener is very agreeable, as you want people to like
you, see you as nice, pleasant, and supportive. Listening may be at the
level just enough to get the idea of what is being said, however, you are
not fully engaged.
By being conscious of these blocks, they can be avoided to become a
better listener. There are also four steps to becoming a better listener, as
discussed in the next few sections.
Generating a Clear Message
Effective oral communication depends upon generating a series of clear,
straightforward messages that expresses the thoughts, feelings, and ob-
servations that need to be conveyed. Since over 90% of what we “hear” is
not from the words, but from the volume, pitch, and rhythm of the mes-
sage and the body movements, including facial expression, it is important
that our messages are congruent. We cannot be verbalizing the need for a
new, exciting security initiative with our posture slouched in the chair
and expect the recipient of the message to be as excited as we are (or po-
tentially not). Double messages should be avoided without hidden agen-
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 37/60
das. Over the long-term, hidden agendas serve to undermine the security
department’s credibility.
Influencing and Negotiating Skills
Not everyone is going to automatically sign up for the information secu-
rity initiatives, especially if this means spending money that could be al-
located to other programs, involves an increase in the number of rules or
adds perceived overhead to their business operations. To successfully ne-
gotiate when discussing a position, the security officer must be able to
separate the problem from the individual. Direct attacks based upon
prior experience with a particular department will not help gain its sup-
port. The key is to look at the security initiative that is being proposed
from the perspective of the person that you are trying to influence. It is
also dangerous to try to read the other person’s mind as noted in the pre-
vious section and come to prejudged conclusions of their support or non-
support of the project. It is OK to postulate in advance what the stakehold-
ers may think about the situation to assist with the preparations; how-
ever, it is not prudent to come to foregone conclusions about their
reaction.
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 38/60
Consider various options to implementing a strategy that may be pli-
able to the stakeholder. There is always more than one way to perform
something. A request by a business manager may be met with resistance
by the security officer. However, by brainstorming various options, one
of these solutions may be palatable, with some investigation, for both the
business manager and the security officer. Once options are determined,
these can be generated into requirements that are not demands but
rather where the solution is mutually agreeable.
Written Communication Skills
Written communication takes on several forms in today’s word from e-
mail, texting, twittering, social media (Facebook, Myspace, LinkedIn) post-
ing, report writing, policy/procedure writing, and memo writing. E-mail is
the predominant written form of communication and is much different
than writing a memo or a policy and procedure. Care must be taken to
know the audience and the purpose of the written communication.
Although e-mail is a very quick method to communicate across the orga-
nization, it is amazing how many e-mails people send that have incorrect
grammar, misspelled words, or use negative language. Since there is no
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 39/60
tone button on the e-mail that is sent, words must be chosen carefully so
as to not alienate the recipient. A simple request may turn into hurt feel-
ings if not written in a clear, nonconfrontational manner. E-mails are also
received almost as quickly as the send button is pressed, so extra care
needs to be made taken constructing the message. Although it may be
easy to become emotional over an issue, these are best handled by pick-
ing up the phone if they cannot be addressed using a fact-based, diplo-
matic written approach.
Presentation Skills
Presentations come with the territory and security officers will find them-
selves in the position of having to deliver a presentation to senior man-
agement. Since management has limited time, presentations need to be
focused with, “What do I hope to obtain or convey with this presenta-
tion?” Sometimes presentations will be an impromptu-type, such as the
30-second elevator speech, or it may be at the other extreme in the form
of a memorized speech. Most presentations are combination of the two,
whereby the presentation slides serve to guide the presentation, with
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 40/60
much of the material being an impromptu delivery (albeit prepared) by
the presenter. Presentation dos and don’ts are shown in Table 12.2.
Table 12.2 Presentation Dos and Don’ts
DO THIS DON’T DO THIS
Know the audience: General end
users? Technically oriented
users? Management?
Assume that the audience has the same
level of understanding.
Engage the audience by asking
questions.
Speak nonstop for 45 minutes or more
(beyond the normal attention span).
Use a mixture of audio, video, and
visual artifacts to make a point.
Exclusively using PowerPoint.
Translate the technical issues by
using analogies, stories, and
relating to common everyday
language.
Use technical security jargon when
unnecessary.
Make eye contact and use a
friendly demeanor.
Read the presentation slide by slide or
from note cards.
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 41/60
Answer their questions using the
no-dumb-question rule.
Act superior to the questioner by
failing to recognize their comments as
valid, albeit they may be coming from
a different perspective or disagree.
Ask questions early to get the
audience engaged.
Completely, but briefly, answer their
questions.
If unsure of an answer, open the
question up to the group.
Lose credibility by talking about
subjects that you have little
experience with.
Leave time for questions and end
the presentation 5 minutes early
to permit time for attendees to
make their next meeting.
Speak right up until the end of the
hour and not get the conclusion or
discussion of options completed.
Focus on a few main objectives
for the presentation.
Provide histories (organization,
computing) that are not related to the
current discussion.
Keep the type text at least 24 font
point.
Use graphics that are hard to see or are
distracting (e.g., excessive use of
animation).
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 42/60
Speak with a microphone in
larger rooms so the audience in
the back of the room can hear.
Assume that your voice is loud enough;
some individuals may not be able to
pick up the modulation properly.
Applying Personality Type to Security Communications
Ideas emanating from the early work of Carl Jung, a Swiss psychologist,
were extended through the development of an instrument to indicate per-
sonality type differences by Isabel Myers and her mother Katharine Cook
Briggs in 1943 (Myers, 1995). This later became known as the Myers-
Briggs Type Indicator, or MBTI, which has been taken by millions of peo-
ple. The MBTI is a very powerful tool, which at its simplest form breaks
down all of the personalities into 16 types. Understanding each of these
16 types can help the security organization communicate more effectively
with different individuals based upon their type. In other words, it helps
to know how they may be wired to understand how they take in informa-
tion, make decisions, where they get their energy from, and how they or-
ganize their lives.
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 43/60
The Four Myers–Briggs Type Indicator (MBTI) Preference Scales
The complete psychology explanation of the 16 types is well beyond the
scope of this book, but there are many useful books written on the MBTI
type noted at the end of this chapter. However it is useful to provide a
brief primer on the 16 types and, more important, what the implications
are for the information security department. There are four scales, with
each person having a natural preference for one of the two opposites on
each scale. While we all use each of the oppo-sites at different times, one
scale feels more natural to us most of the time. This natural tendency be-
comes our preference or the place where we are the most comfortable.
The combination of the four scales, with two opposite values, yields 16
combinations of letters. Each set of letters yields a describable personal-
ity, not in a stereotypical manner, but rather a mechanism to explain the
personality and what may be expected behavior, career interests, reac-
tions to certain events, and so forth from that personality type. It is im-
portant to note that no “preference” is better than another, it is just dif-
ferent. Each of us uses all of the dimensions of preference at some point,
and we flex our behaviors depending upon the situation. For example, an
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 44/60
introverted parent may flex their extraversion when providing discipline
to a child.
Extraversion versus Introversion Scale The first preference is about
where you prefer to get your energy: the external world (extraversion, E)
or from the inside world (introversion, I). Extraverts tend to get energy
from the people, interactions, and events, whereas introverts tend to de-
rive their energy from their internal thought, feelings, and reflections. It
is sometimes said that extraverts are processing information as they are
talking, while introverts tend to crystallize the idea internally first before
speaking. Introverts draw their energy from being alone, while the ex-
travert may feel drained by spending long periods without interaction.
Table 12.3 shows some of the characteristics of extraverts and introverts
(Kroger and Thuesen, 1992).
Table 12.3 Where Do I Prefer to Focus My Energy (Inner or Outer World)?
EXTRAVERSION (E)—TUNED INTO
OUTER WORLD OF PEOPLE AND
EVENTS
INTROVERSION (I)—DRAWN TO
INNER WORLD OF IDEAS AND
EXPERIENCES
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 45/60
Seek interaction Like to be alone
Enjoy groups Enjoy one-on-one conversation
Act or speak first, then think Think first, then speak or act
Sociable and expressive Think to themselves
Expend energy Conserve energy
Focus outwardly Focus inwardly
Take initiative in work and
relationships
Quiet, reserved
Like variety and action Like to focus on one thing at a time
Outgoing Enjoy reflecting
Breath of information Depth of information
Sensing versus Intuition Scale This preference indicates how informa-
tion is gathered. Sensing (S) individuals prefer to take in information
through their senses, such as seeing, hearing, smelling, and so forth, to
see what is actually happening. They are observant of what is going on
around them and very good at determining the practicality of the situa-
tion. Information presented is preferred to be delivered in a very specific
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 46/60
manner. Sensors tend to prefer to be presented with the facts and details
of what they are reviewing. About 70% of the world prefers to gather in-
formation this way.
Individuals that prefer to see the big picture to take in information
most likely prefer intuition (N) to gather information. They focus on the
relationship between various facts, facts that may not appear to have any
relationship to the sensor. They are good at seeing new possibilities and
new ways of doing things. Table 12.4 shows some of the characteristics of
sensing and intuition preferences.
Table 12.4 What Kind of Information Do I Normally Pay Attention To?
SENSING (S)—FOCUS ON
CONCRETE, REAL, ACTUAL
INTUITION (N)—FOCUS ON ABSTRACT,
RELATIONSHIPS, PATTERNS
Prefer facts, concrete data Prefer insights
Value practical applications Value imaginative insight
Present oriented Future oriented
Focus on reality, details,
specifics
Focus on the big picture, possibilities
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 47/60
Like step-by-step instructions Like to jump around, move in anywhere
Pragmatic Speculative
Value common sense Value innovation
Thinking versus Feeling Scale How decisions are made is attributed to
the decision-making preference, which has two ends of the scale, thinking
(T) and feeling (F). Thinkers tend to look at the logical ramifications of a
course of action. The goal of the thinker is to make a decision from an ob-
jective viewpoint and tend not to get personally involved in the decision.
They are often called firm minded and seek clarity in the decision. They
are good at figuring out what is wrong with something so that problem-
solving abilities can then be applied. The feelers tend to approach deci-
sion making based upon what is important to them and to the other peo-
ple. While the decision making of the thinker may gravitate toward what
is right, lawful, or concludes with justice, the feeler may base the decision
on person-centered values to achieve harmony and recognition of other
individuals through understanding, appreciating, and supporting others.
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 48/60
In short, feelers tend to prefer empathy over intellect. Table 12.5 shows
some of the characteristics of thinkers and feelers.
Table 12.5 How Do I Make Decisions?
THINKING (T)—ANALYTICAL,
LOGICAL CONSEQUENCES,
PRINCIPLED
FEELING (F)—CONSIDER
IMPORTANCE TO THEM, OTHER
PEOPLE AND VALUES
Firm minded Gentle hearted
Objective, convinced by logic Subjective, convinced by values
Laws, justice, policy Humane, social values
Reasonable Compassionate
Logical problem solvers Assess impact on people
Don’t take things personally Likely to take things personally
Good at critiquing Good at appreciating
Judging versus Perceiving Scale The last preference indicates the pref-
erence as to how you orient your world. Judgers (J) want to regulate and
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 49/60
control life by living in a scheduled, organized, and structured way. They
do not like things unsettled and want order in their lives. They enjoy their
ability to stick to a schedule and get things done. For the judgers there is
usually a right way and a wrong way to do things.
Perceivers (P) prefer to be flexible and adaptable in different situations.
They want to be able to be spontaneous and flexible to rise to the oppor-
tunity as it presents itself. They are called perceivers due to their ability
to keep collecting new information, rather than draw premature conclu-
sions on a subject. In other words, they prefer the open-endedness and
ability to change their decision based upon new information. Table 12.6
shows some of the characteristics of judgers and perceivers.
Table 12.6 How Do I Organize My World?
JUDGING (J)—PLANNED,
ORDERLY, CONTROLLED LIFE
PERCEIVING (P)—FLEXIBLE,
SPONTANEOUS, EXPERIENCE LIFE
Seek closure, things settled Seek openness
Value structure, goals Like flexibility, tentative
Scheduled, methodical Spontaneous, flexible
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 50/60
Systematic Casual
Like closure and have things
decided
Like to have their options open, able to
change
Avoid last-minute stresses Energized by last-minute pressures
Enjoy completing projects Enjoy starting projects
Determining Individual MBTI Personality
Using the aforementioned descriptions and characteristics, by now it
should be possible to determine your approximate MBTI or set of four let-
ters describing your personality. This can be used as a guide for the next
section in determining the individual temperament. The actual determi-
nation of the letters is more accurately determined by taking an assess-
ment of the MBTI® by Consulting Psychologists Press, containing more
than 200 preference questions and determining the letters with more ac-
curacy (CPP, 1993). In real life, we have to learn to approximate the
Myers-Briggs of our peers, unless we ask them if they know what theirs
are, as they are not going to take a 200-plus question assessment for us!
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 51/60
Over time, speed reading the types for individuals become easier and a
very valuable tool for interacting with others.
The Four Temperaments In an effort to distill the 16 types into common-
alities for ease of discussion, David Keirsey portioned the 16 types into
four temperaments by grouping the Sensing-Perceiving (SPs), Sensing-
Judging (SJs), Intuition-Thinking (NTs), and Intuition-Feeling (NFs)
(Keirsey, 1998). Although there are individual differences due to the other
two letters that make up each set of 4 letters (for an individual’s personal-
ity), there was a strong commonality within these groups, which simpli-
fies the discussion of their temperament.
Following is a brief description of some of the characteristics of person-
ality types that fall into each of the four temperaments, along with the im-
plications as to how security should be communicated with each temper-
ament. For example, the SJ temperament consists of those individuals
who have the ESTJ, ISTJ, ESFJ, or ISFJ personality preferences. For exam-
ple, the ESTJ natural preferences are to obtain their energy from ex-
traversion, gather information through sensing (concrete, detail-ori-
ented), make decisions based upon thinking (logical, analytical values),
and orient their world through Judging (schedule oriented, organized).
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 52/60
The ESTJs share some common characteristics with the other SJs (ISTJ,
ESFJ, ISFJ), even though they may vary on one of the other dimensions.
SJ “Guardian” Temperament Those personality preferences sharing the
SJ temperament (ESTJ, Supervisor; ISTJ, Inspector; ESFJ, Provider; ISFJ,
Protector) share characteristics of being reliable, organized, task focused,
and hard working at their best. At their worst, they may be perceived as
being judgmental, controlling, inflexible, or close minded. They typically
respect the laws and traditions of society, like to be in charge, have a stan-
dard way of doing things, expect others to be realistic, strive to belong
and to contribute, have high expectations of themselves and others, are
critical of mistakes and may fail to reward expected duties, have diffi-
culty refusing to take on other assignments, and do not like surprises.
They are also good at anticipating problems.
While people of any temperament can be successful at any job, there
are some careers that attract this temperament more than others. The SJ
temperament may choose careers as a project manager, regulatory com-
pliance officer, budget analyst, chief information officer, bank
manager/loan officer, government employee, administrative assistant,
nurse, auditor, pharmacist, engineer, or an accountant. These are jobs
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 53/60
typically involving adhering to a set of rules and standards without a
large amount of ambiguity, which is attractive to the SJ temperament. SJs
are also attracted toward positions that can create financial security.
When communicating information security issues with the SJ tempera-
ment, it is important that if something was done wrong, that regret is ex-
pressed and a simple I’m sorry is used. This can set things straight and al-
low the SJ to move forward. SJs should be appreciated for their responsi-
bility and willingness to handle the details of the situation in the form of
compliments. For example, individuals in the security group managing
the very detailed logging and monitoring may be of the SJ temperament
as evidenced by their willingness to handle and organize the vast amount
of detail.
Commitments must be kept with SJs to win their trust. If the CEO is an
SJ and there were promises made to implement a security initiative by
the end of March so that a new product could be launched in May, the
CEO who shares this personality type preference will most likely be less
forgiving than the SP type, for example, when the deadline is not met.
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 54/60
Communications with SJs should be specific and practical, as Dragnet’s
Joe Friday would iterate, “Just the facts ma’am. Just the facts.” SJs are also
resistant to change and need to be brought into change more slowly with
logical reasons for the change. However, once the change has been em-
braced, they can be one of the strongest supporters of the change.
SP “Artisan” Temperament The SP temperament (ESTP, Promoter; ISTP,
Crafter; ESFP, Performer; ISFP, Composer) personality types may be
viewed as the action seekers. They may be viewed as optimistic, generous,
fun loving, adventurous, realistic, and adaptable at their best, or hyperac-
tive, impatient, impulsive, and scattered at their worst. They enjoy life in
the here and now, highly value freedom and action, like risk and chal-
lenge, are spontaneous, may be perceived as indecisive, are observant,
ask the right questions to get what they need, respond well to crisis, like
short-term projects, and dislike laws and standard ways of doing things.
This is sharp contrast to the SJ temperament previously discussed, which
thrives on standards and ensuring that the rules are being followed.
For career selections, the SPs tend to gravitate toward careers that per-
mit them to experience life versus a means toward an end. Potential ca-
reer choices for the SJ may include emergency room nurse, medical as-
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 55/60
sistant, photographer, police officer, public relations specialist, fire/ insur-
ance fraud investigator, news anchor, airline mechanic, marine biologist,
or paramedic/firefighter. In the security field, individuals wanting the ex-
citement of responding to a disaster recovery situation or an intrusion
may gravitate toward this area.
When communicating with the SP temperament, appreciation should
be shown for their enthusiasm, common sense, and ability to deal with
crisis. Joining in some of their activities may be appropriate, such as an
invitation to meet them and a group of security vendors after work.
Business executives of this type may be part of the golf club or bowling
league, and this would be a good opportunity to network with these indi-
viduals and build rapport to create a nonadver-sarial environment. Given
choices and alternatives, those sharing the SP temperament will want to
do things their own way in their own timeframe. Issues should be pin-
pointed and overwhelming them with information avoided. They also do
not like being told how to change or what to do.
NF “Idealist” Temperament Those sharing the NF temperament (ENFJ,
Teacher; INFJ, Counselor; ENFP, Champion; INFP, Healer), known as the
ideal seekers, share the characteristics of being compassionate, loyal
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 56/60
helpful, genuine, warmhearted, and nurturing at their best, or may be
perceived as moody, depressed, or oversensitive at their worst. They are
stimulated by new ideas, take an antiauthoritar-ian attitude, often side
with the underdog, see possibilities in institutions and people, search for
meaning and authenticity, self-actualize, maintain close contact with oth-
ers, give freely and need positive appreciation, and are good listeners.
NF temperaments may gravitate toward jobs such as psychologist, soci-
ologist, facilitator, career counselor, travel agent, human resources re-
cruiter, teacher (health, art, drama, foreign language), social worker, or
hotel and restaurant manager.
When communicating with the NF temperament, cards, gifts, compli-
ments and adoration go a long way. They are sensitive to criticism, so ex-
tra tact is necessary. Patience is needed to understanding of their need to
express their feelings. Their support can be gained by appealing to their
creativity and vision of their ideals.
NT “Rational” Temperament Individuals sharing the NT temperament
group (ENTJ, Field Marshal; INTJ, Mastermind; ENTP, Inventor; INTP,
Architect), known as the knowledge seekers, have strengths of being in-
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 57/60
novative, inquisitive, analytical, bright, independent, witty and compe-
tent at their best, or they may be perceived as arrogant, cynical, critical,
distant, or self-righteous at their worst. They work well with ideas and
concepts, value knowledge and competency, understand and synthesize
complex information, anticipate future trends, focus on long-term goals,
like to start projects (although not as good on follow-through), not always
aware of other’s feelings, aim for mastery, and deal with the day-to-day
details but have little interest in them.
Knowledge seekers may be found as an executive, senior manager, per-
sonnel manager, sales/marketing manager, technical trainer, network in-
tegration specialist, technical writer, investment banker, attorney, psychi-
atrist, database administrator, credit analyst, technical project manager,
architect, or Web developer/computer programmer.
When communicating a security concern or initiative with the NT tem-
perament, the security professional should attempt to appreciate their ob-
jectivity, quick minds, and knowledge. Since they value mastery in what
they do, conversations that are intellectually stimulating should be pur-
sued, feelings should be avoided in conversation, and debate with them,
letting them know frequently you value their insights. Many of the techni-
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 58/60
cal staff involved in connecting patterns together, such as the network en-
gineers or database administrators, can become supportive of the secu-
rity program by simply asking them for their input and genuinely incor-
porating their insights into the security strategy and subsequent
implementations.
Summing Up the MBTI for Security
Communication is so important and goes well beyond providing a written
report or an oral presentation; it is how we interact with others on a daily
basis. As the security program must remain credible to be effective, we
must ensure that we are communicating the security messages clearly,
and in a manner in which they will be heard. We tend to communicate by
default by the manner that we are comfortable receiving. Unfortunately,
and fortunately, we are not all the same, and we take in and process in-
formation differently. To be successful within the organization, the secu-
rity officer and his or her team need to be able to communicate at an ap-
propriate level with others within the organization. Understanding the
differences in personalities will increase the effectiveness of the security
message that needs to be delivered.
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 59/60
1.
2.
3.
4.
5.
Suggested Reading
McKay, M., Davis, M., and Fanning, P. 1995. How to communicate: The ultimate
guide to improving your personal and professional relationships. New York: MJF
Books.
National Institute of Standards and Technology (NIST). October 2003. Special
Publication 800-50: Building an information security technology security aware-
ness and training program, http://csrc.nist.gov/publications/nistpubs/800-
50/NIST-SP800-50.pdf
National Institute of Standards and Technology (NIST). October 1995. Special
Publication 800-12: An introduction to computer security: The NIST handbook.
http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf
Herold, R. 2005. Managing an information security and privacy awareness and
training program. Boca Raton, FL: Auerbach.
Tieger, P. D., and Barron-Tieger, B. 1998. The art of speedreading people: Harness
the power of personality type and create what you want in business and in life.
Boston: Little, Brown and Company.
5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 60/60
6.
7.
8.
9.
10.
11.
Tieger, P. D., and Barron-Tieger, B.1998. Do what you are: Discover the perfect ca-
reer for you through the secrets of personality type. Boston: Little, Brown and
Company.
Myers, I. B., and Myers, P. 1995. Gifts differing: Understanding personality type, 2nd
ed. Palo-Alto, CA: Davies-Black.
Kroeger, O., and Thuesen, J. M. 1992. Type talk at work. New York: Tilden Press.
Bolton, R., and Bolton, D. G. 1996. People styles at work:Making bad relationships
good and good relationships better. New York: Ridge Associates.
Keirsey, D. 1998. Please understand me II: Temperament, character, intelligence. Del
Mar, CA: Pometheus Nemesis.
Myers, I. B.1993. Introduction to type, 5th ed. Palo Alto, CA: Consulting
Psychologists Press, Inc.