question

profilejimpop1998
Chapter12EffectiveSecurityCommunications_InformationSecurityGovernanceSimplified.pdf

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 1/60

12

Effective Security Communications

The meeting of two personalities is like the contact of two chemical sub-

stances: if there is any reaction, both are transformed.

Carl Gustav Jung, 1875–1961

Why a Chapter Dedicated to Security Communications?

If the phrase security communications conjures thoughts of the network,

protocols, blocking, terminating communications, ensuring messages get

from point A to point B intact, and must be available 24/7, you are correct.

However, the topic is not about computer communications but rather hu-

man communications. Information security governance depends upon

humans to deliver the right message to the right individuals at the right

time in the right manner for the messages to be heard and acted upon.

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 2/60

Imagine for a moment that the information security department cre-

ates a plethora of security policies representing the equivalent of creating

the Mona Lisa to an artist or creating a team of athletes that wins the

Super Bowl. Imagine then that what would have happened if no one had

ever seen the Mona Lisa that was stored in an attic or the team that was

capable of winning the Super Bowl never showed up for its games? A sim-

ilar fate can fall upon the information security program if information se-

curity policies, ideas, and initiatives are not properly communicated.

True information security governance may look good on paper, with poli-

cies drafted and technical solutions appearing to be in place, but if these

are not communicated properly, security governance is really not

occurring.

Security communication takes on many forms such as the publishing of

information security policies, selling the next information investment to

management, explaining the current status of security audit issues to the

board of directors, crafting security e-mail messages of the latest security

concerns, or simply having a conversation about a security issue with a

security colleague or business unit manager. It should be clear that every

communication by every individual associated with the information secu-

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 3/60

rity team has the potential to either (a) provide increased credibility and

support to the information security program or (b) cause the information

security area to be viewed as a roadblock or lessen trust that the security

group has the organization’s best interests front and center.

Communication skills are constantly evaluated as we are growing up—

from formal penmanship, written communication skills, listening skills,

plays well with others, and speaks up when called upon as a child to the

formal performance reviews where written and oral communication skill

competencies are evaluated on an annual basis. The continuous evalua-

tion of these skills indicates the importance of them. After all, how effec-

tive can we be in the workplace if we cannot effectively communicate

with others? Hence, due to this importance, this chapter is dedicated to-

ward how security professionals can improve their communication skills

to convey the appropriate security messages throughout the organization.

Different aspects of communication are explored and by understanding

the different communication styles that are occurring within the com-

pany, the security executive and professional can be more effective in

constructing and delivering the appropriate message.

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 4/60

End User Security Awareness Training

One of the debates over the past decade has been whether information

security awareness training has been effective. Much of this concern is

generally started from an analysis of the number of security incidents in

a given year and then concluding whether the end users were receiving

the message and acting in a secure manner in their day-to-day jobs. The

conclusion then usually suggests that technical controls need to be imple-

mented to take out the risk of “human error.” Unfortunately, these con-

clusions are made without the benefit of a scientifically controlled experi-

ment, whereby the “test group” of users of the same organization re-

ceived no security awareness training were evaluated against a “control

group” in order to determine whether there would have been more or

fewer incidents experienced by the control group. Obviously, technical

controls are very important to the information security program, and are

necessary to address the aspects such as antivirus, encryption, firewalls,

security mechanisms, physical security, authentication, and monitoring,

but given that technical controls cannot fully address the end-user behav-

iors, security awareness training must be in place to reduce the risk.

Information also comes in nontechnical forms (oral and paper docu-

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 5/60

ments) that cannot be secured by technical means or without the dili-

gence and assistance of the end user. For example, a policy may state that

all documents transported between the office and home need to be trans-

ported in a locked container. If the end user is not aware of the policy or

does not understand the rationale for the policy, she might decide it is not

necessary and not place the documents in a locked box. Alternatively, an

individual may load boxes of documents in his car in the wintertime,

leaving the engine running to keep it warm while hr runs back into the

house to retrieve more boxes for loading. Meanwhile, the end user may

be taking an increased risk that the car will be stolen and the confidential

documents exposed. Since there are no technical controls to prevent this

(other than the end user locking the door in between trips), security

needs to be continuously reinforced with the end user to reduce the risk

of this type of error.

Awareness Definition

Security awareness training is different from security training. The

National Institute of Standards and Technology Special Publication 800-

50: Building an Information Security Technology Security Awareness and

Training Program (NIST, 2003) provides the following definition:

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 6/60

Awareness is not training. The purpose of awareness presentations is simply

to focus attention on security. Awareness presentations are intended to allow

individuals to recognize IT security concerns and respond accordingly. In

awareness activities, the learner is the recipient of information, whereas the

learner in a training environment has a more active role. Awareness relies on

reaching broad audiences with attractive packaging techniques. Training is

more formal, having a goal of building knowledge and skills to facilitate job

performance.

In short, the basic objective of security awareness training is to (1) pro-

vide enough information to the end users as to what they and others

should and should not do and recognize what would constitute a security

incident, and (2) know what they should do if they recognize or suspect

that a security incident has occurred. If these two objectives have been

met, then the information security awareness program has been

successful.

Delivering the Message

Information security programs fall short of the message when the secu-

rity message is not crafted in a manner that grabs the end users’ attention

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 7/60

or fails to provide them with the necessary information. Let’s face it,

many security people progressed to higher levels within the organization

due to their technical abilities, not based upon their communication or

marketing skills. Providing information security awareness is essentially

marketing—inducing the recipient of the message to buy something (in

this case buy into) what they ordinarily may not have thought to buy on

their own. Savvy marketers craft the message not in pages of boring tech-

nical, jargon-filled presentations, but rather in short, high-impact, sound-

bite type messages that grab our attention and are retained. Security pro-

fessionals must do the same. The following seven steps, adapted from

NIST security awareness guidance, provide a process for delivering an ef-

fective information security program.

Step 1: Security Awareness Needs Assessment

Assessing security awareness is often an overlooked step when first im-

plementing a security awareness program. Without knowing where the

highest risk areas or areas that have been causing the most incidents are,

valuable time with the end users could be wasted. The needs can be de-

termined from multiple sources, as described next.

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 8/60

New or Changed Policies   If the organization is rolling out a new iden-

tity management system or a new incident reporting process, this may be

a good time to explain how this will work. Or a new law or regulation

could mandate new reporting requirements that would need to be

communicated.

Past Security Incidents   Past breaches can provide a wealth of informa-

tion from which to construct the security awareness program. These are

also very useful in obtaining the end users’ attention, as it demonstrates

that security issues are occurring within their organization versus a theo-

retical concept that “this could happen.” It also reduces the likelihood that

the end user will think that the security department is sensationalizing

the news. Care should be taken when presenting actual incidents within

the company that it is not possible for the end users to deduce the person

or in which department that the individual was working. This could

cause some ethical and legal issues in disclosing personal human re-

source issues. The objective is to explain the incident so that the same

type of incident does not reoccur through someone else’s behavior.

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 9/60

Incidents of the same type that have a high number of occurrences would

be excellent candidates for targeted security awareness training.

Systems Security Plans   Systems security plans (SSPs) document the cur-

rent state of an information security system and can take the form of a

major application (MA) or general support system (GSS). Since these plans

define the overall business objective of the system, the infrastructure,

and the managerial, technical, and operational controls required to sup-

port the system, these documents can provide excellent sources of the

types of information that needs to be shared with the end users. For ex-

ample, if there are many business partners that are part of the infrastruc-

ture, the end users may need to be made aware of which email communi-

cations are secure or what is permissible to discuss with the business

partner due to intellectual property rights that are defined in the systems

security plan.

Audit Findings and Recommendations   If there are recurring audit is-

sues that have not been mitigated, these should be included in the secu-

rity awareness training. Since auditors cannot audit 100% of everything,

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 10/60

samples are taken that represent a statistical significance if an issue is

found. The issues found may or may not have occurred across every de-

partment; however, that does not mean that the issue is not broader than

the audit issue found. For example, the auditors may pull a sample of

policies and procedures and determine that they have not been updated

on an annual basis for a couple of departments. Odds are, just as when a

pest exterminator sees one mouse, there are likely to be many more, so is

it likely that other areas have not been following the process of annual

updates. Typically these are issues of security governance across the orga-

nization; the tone at the top has not made this a priority or there have not

been the processes in place to monitor and ensure this is completed on an

annual basis. Repeat audit issues should always be addressed either to a

targeted group or broadly across the organization, depending upon the

issue.

Event Analysis   Similar to security incidents, event analysis of the moni-

toring logs can highlight areas of concern. These are likely to evolve into

targeted training more than security awareness training. For example,

logs indicating that firewall vulnerability is repeatedly being exploited by

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 11/60

external hackers may indicate the need to train the network group on de-

vice configurations.

Industry Trends    Introduction of new technology into the marketplace

can provide a rich source for discussion. Discussing the use of social me-

dia in the workplace, such as Facebook, LinkedIn, or Myspace will pro-

vide relevant discussion of issues that most end users can relate to.

Alternatively a discussion of the use (or nonuse) of personal e-mail and

the acceptable use policy to govern appropriate Internet behavior will be

of interest to the end users. The security officer has to keep abreast of the

current industry trends to ensure that the risks are mitigated, as new

technologies are often released first and then security controls are added

second. The reality of this situation is that products are usually in a race

to become the first to capture market share and may not have imple-

mented the necessary security controls. As an example, consider the evo-

lution of the Windows operating system and how it took almost nine re-

leases over a period of more than two decades to build-in many of the se-

curity concepts that are expected today.

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 12/60

Management Concerns   Managers should be polled to determine what

issues they are aware of that need more focus. They may be concerned

with documents not being properly disposed or laptops not being put

away at the end of the day or securely transported.

Organizational Changes    After reorganizations, employees are often-

times reporting to a new manager that may operate differently. This is a

good time to reinforce the security concepts. Locations may have closed

during the reorganizations or whole departments eliminated, thus creat-

ing potential changes in the security procedures.

Step 2: Program Design

Communications can either happen through the best intentions or be de-

signed. By approaching the security awareness program as something

that must be designed, the chances of leaving out critical components are

lessened. A car would not be produced without a design; a TV show

would not be delivered without a script to guide the flow of the contents.

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 13/60

Target Audience   A cliche in providing presentations is to know your au-

dience. The security awareness presentation delivered to a group of air-

line mechanics may be different than to a group of customer service rep-

resentatives. The analogies or stories used in the presentation to connect

with the audience may be different. For example, relating the informa-

tion security concepts of physical protection to ensure that no unautho-

rized people are in the hangar that could cause loss of life by tampering

with the airplane engine parts may be effective with the airline mechan-

ics. The customer service representatives may relate to the importance of

verifying the caller with identifying information so as to not release con-

fidential information to the wrong person. Alternatively, talking about

sending faxes to the wrong healthcare provider would have little rele-

vance to the airline mechanics.

Frequency of Sessions    Security awareness training should be per-

formed minimally once a year and preferably during a time in the busi-

ness cycle that will not cause an increased burden in meeting the com-

pany objectives. For example, having a training session for a group of ac-

countants at fiscal yearend or right before tax season would not be wel-

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 14/60

comed. If face-to-face sessions are used, scheduling of the sessions needs

to be planned so that there is ample time for individuals to plan the train-

ing into their schedules.

Number of Users   Face-to-face sessions work best when the number is

kept to 30 or less. A group of this size allows for interaction and more ex-

change of information between the participants. Schedules should be

drawn up 6 to 8 weeks in advance of the training to ensure the greatest

attendance and to obtain the appropriate facilities.

Method of Delivery   Face-to-face sessions work best, however, these are

also time consuming, as multiple sessions are needed to cover the work-

force in groups of 25 to 30 people. The security officer and his staff have

to dedicate significant resources to this task, especially if the associates

are spread out across multiple locations. As a result of cost reductions,

some security departments have gravitated to online learning manage-

ment systems to deliver PowerPoint-type contact to the end user. The dif-

ficulty with this approach is that users may simply click through the ma-

terial without providing their full attention, which is much harder to do

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 15/60

in an interactive security awareness session. Even though quizzes can be

incorporated into the material to determine whether the end user was

paying attention, it is difficult to ascertain if the end user was truly en-

gaged. The more engaged the participants in the learning process, the

greater the likelihood that the material will be retained.

Resources Required    The labor, materials, locations, and budget re-

quired for the program need to be reviewed. At this stage the full costs

may not be known, however, the budget parameters should be deter-

mined. It would not be unreasonable to spend 1% to 2% of the informa-

tion security budget on security awareness training and a greater per-

centage on a small budget.

Step 3: Develop Scope

The security awareness program must be scoped or there is a risk that the

message will be lost in delivering the training. Scoping utilizes the needs

assessment captured in step 1 and determines what topics are provided.

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 16/60

Determine Participants Needing Training   Once the scope of the train-

ing has been initially defined, the population that is required to attend or

participate in the training needs to be defined. Depending upon the com-

pany desire or the law or regulation, all employees, including contractors

requiring systems access may be subject to the training. If a subcontrac-

tor relationship exists with another firm that is performing work on the

organization’s behalf, then it should be determined whether the subcon-

tractor should provide its own security awareness training (as the sub-

contractors are employees or contracted to that firm) or should the com-

pany that hired the subcontractor require the security awareness training

provided to its own employees.

New hires present a special situation that must be addressed. The orga-

nization may require annual refresher training for the existing employ-

ees and contractors, but the new hires also need the security awareness

training from day one. New hires should not be allowed access to the sys-

tem until they have had some form of security awareness training. One

technique that is very effective is to have the hiring manager provide se-

curity awareness training to the employee (e.g., in the form of a

PowerPoint presentation); have the employee sign an attestation that they

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 17/60

have read the security requirements, understand them, and will abide by

them; and have the manager fax or e-mail the signed copy to the security

administration or access management department or whichever depart-

ment is responsible for account establishment. Once the fax or e-mail is

received, then the department can release the login ID and password to

the manager to provide to the employee. The employee would then log on

and change the onetime password. In this manner, the new hire has the

appropriate on-boarding security awareness training that may not line

up with the scheduled annual awareness training, which they would take

during the next cycle with everyone else.

Business Units   Security awareness training is generally developed for

the current cycle (i.e., annual training) and provided to everyone in the

organization. However, there may be special situations where the train-

ing is customized to a particular department because of different

concerns.

Select Theme   One of the most important aspects in designing a security

awareness program is to select a theme for the training. A list of themes is

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 18/60

shown in Table 12.1. This helps to focus the training around a subject and

keeps the scope from drifting. Selecting a theme does not limit the cre-

ativeness of the training, but rather permits the designer to build the pro-

gram around a common concept while introducing other security-related

items into the program. For example, while constructing a security

awareness training program using the theme “Internet and E-mail

Security,” the concepts of antivirus, confidentiality, non-sharing of pass-

words, encryption, phishing, and website malware can be introduced into

the training.

Table 12.1 Security Awareness Themes

Appropriate

Internet usage

Viruses, worms,

Trojans,

malicious code

Spyware Phishing attacks

E-mail security Identity Theft Confidentiality,

information

sensitivity

Spam

Social engineering Incidents and

incident

Shoulder surfing Government

regulations

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 19/60

response

Wireless security Tablet

computing

Smartphones Laptop security

Copyright

protections and

licensing

Need-to-know

access

Individual

security

responsibility

Password

management

E-mail etiquette Clean desk

policy

Home network

usage

Protecting

yourself and

your company in

a disaster

Handling of

protected health

information or

credit card data

Latest

information

security events

in the news

What is risk? Obtaining access

to information

The common mistake is that the fire hose method of security awareness

education is used, and all possible aspects of security are communicated

during a 1 to 2 hour presentation or during a webinar. The end users eyes

glaze over and little is retained other than “be sure to not let someone

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 20/60

piggyback behind you when walking in the building” or “hit CTL-ALT-

DELETE and Lock when stepping away from the computer.” The themed

approach avoids this scenario.

Step 4: Content Development

Once the theme is chosen for the security awareness training, the content

should be developed to be as impactful as possible to achieve the highest

retention rate after training. Face-to-face training affords the ability to

combine video, music, props, and attendee interaction to create an unfor-

gettable learning environment (versus the two-dimensional Internet

training delivery mechanisms). Game shows, use of online videos, and in-

teractive skits to grab the participants’ attention work very well. Once the

security awareness training grabs attendees’ attention, it is not uncom-

mon to see that people enjoy coming to the sessions and are the first ones

to sign up in subsequent years.

Security awareness should be fun! One of the first places to start to

build the security training session is to go to the toy store and the party

store to buy some toys. As silly as this may sound, when people walk into

the room feeling like they are about to play a game, their mood changes

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 21/60

from “Is this going to be another boring security PowerPoint presenta-

tion?” to one of “Hey, this looks like fun!” Their curiosity takes over and

as a result, they are more likely to pay attention.

Security is a serious subject, but that does not mean that it has to be

presented that way to be impactful. If the security professional is uncom-

fortable with giving presentations that appear silly or humorous, then an-

other possibility is to enlist someone from corporate communications or

marketing for support. Imagine being in the place of the end user that is

required to attend mandatory awareness training. Programs should be

constructed in such a manner that the end-user wants to attend the secu-

rity awareness training.

Step 5: Communication and Logistics Plan

A one-page slide announcing the theme of the program should be devel-

oped as well as posters indicating the dates of the program. If multiple lo-

cations are part of the program, the poster could look something analo-

gous to rock concert tour dates to generate interest.

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 22/60

E-mails to the end users at least 1 month prior to the awareness session

should be mailed, along with follow-up reminders at 2- and 1-week inter-

vals. People are often very busy and may appreciate the e-mail reminders

to sign up for the awareness session. Provisions for make-up signups

should also be planned by scheduling one or two make-up sessions after

the regular sessions have concluded. The e-mail reminders should stress

promptness in attending the sessions.

Each location should have signup sheets for the session to ensure that

sessions are appropriately filled and do not exceed the size of the room. A

good rule of thumb is to only have enough signups for five less than the

capacity of the session. For example, if the room will comfortably seat 30

people in the session, then permit 25 to sign up. Why? Because there will

always be some individuals that will add their names below the line ex-

ceeding the capacity. This can cause problems if tables and exercises were

set up for a group size of 25, but 30 show up. By planning for a maximum

of 30 people, and allowing 25 to sign up with a 5-person contingency,

there would be no problem if 30 people showed up.

Travel arrangements to the various sites are also determined in this

step, making reservations at least 30 to 60 days in advance to reduce the

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 23/60

costs of the program.

Step 6: Awareness Delivery

Details at this stage are very critical, as the security awareness session

should be managed as a production with contingencies for items that may

go wrong. The trainer should arrive at the room location at least 1 hour

before the start of the session so that the room can be set up in advance

of people arriving for the first session. Items such as visual props, table

arrangements, candy or food, evaluation sheets, and presentation copies

need to be arranged around the room. The LCD projector and computer

need to be tested to ensure the video, audio, and presentation operation

are working correctly.

Sessions should be no more than 1 hour, as the attention span starts to

fade after 45 to 60 minutes. Sessions should also be scheduled 30 minutes

apart to allow for (a) those individuals that arrive early to “get a good

seat,” (b) those individuals that stay after the last session to ask one-on-

one questions, and (c) set up for the next session. The trainer should be

available at the start of each session to greet each person as they enter

the room, and if the trainer is still running around setting up tables, pro-

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 24/60

jectors, and props, he or she will not be available. Greeting each person

helps to make the program personable and starts the connection process,

which increases the likelihood the individual will pay more attention.

The delivery should be scripted, but be spontaneous at the same time.

Each subsequent delivery can incorporate what worked and remove

what did not work in the prior sessions.

Sessions should start 5 minutes after the posted start time of the session

and end 5 minutes prior to the end. Starting 5 minutes into the session ac-

counts for the latecomers that would miss the start of the session. In high

school, students have 5 minutes to get to their next class, but once people

get into the work world, they are faced with back-to-back meetings with

no built-in travel time. Ending 5 minutes early provides time for them to

fill out the evaluations.

Step 7: Evaluation/Feedback Loops

Evaluations provide insight into what is and is not working with the secu-

rity awareness program. The quality adage “If you can’t measure it, you

can’t improve it” applies to information security as well. Did the end

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 25/60

users enjoy the training? Did they learn what was expected? Was there

anything that could have been improved (content, logistics, delivery, un-

derstanding, etc.)?

One method that is highly successful is to provide a trade of sorts, or an

exchange, at the door as the attendees are leaving, exchanging a security

trinket for an evaluation. They may place the evaluation facedown in the

chair, but they do not receive the trinket unless they provide an evalua-

tion. A small percentage will be blank; however this technique usually re-

sults in 95% to 100% return of the evaluations.

The evaluations can then be tracked in a database by location, and as-

sessments of the training can be performed. Numerical scores are tabu-

lated (e.g., 4 out of 5 on a 5-point scale) and open-ended question re-

sponses are recorded. Quizzes several months after the training can be is-

sued to determine whether the preceding training was effective.

Security Awareness Training Does Not Have to Be Boring

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 26/60

By injecting some creativity into the security awareness program, the

training can be fun for the participants and fun for the creators. As a side

benefit, engaging security professionals where this is not their daily role

can broaden their own interpersonal and communication skills. The ap-

proach demonstrated in the aforementioned seven steps aides in the un-

derstanding and retention of the security message, which is the primary

goal of creating a fun security awareness program.

Targeted Security Training

Security awareness training provides the broad security training that is

sufficient for most of the organization. However, to ensure that the

proper skills are retained by the organization to carry out the implemen-

tation of the security policies, targeted training needs to be developed for

certain groups, primarily those individuals managing others and those

who are directly involved in an information security function.

Security administrators need targeted training in areas such as

Microsoft Active Directory, Resource Access Control Facility (RACF),

Access Control Facility (AC2), and UNIX administration to be able to set up

and administer accounts correctly. Depending upon the level of the staff

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 27/60

and the expectations, the depth of the training may vary. For example, the

security administrator that is setting up accounts may need training on

how to use the identity management system but not necessarily the tech-

nical details of Active Directory. On the other hand, the security analyst

who is responsible for building automated queries and processes may

need a seminar in Active Directory. Information security governance can-

not occur if individuals are not competent within their assigned jobs. This

does not mean that everyone needs the 5-day class, where a PowerPoint

or 2-hour hands-on training session may suffice.

Managers of employees and contractors typically require additional

training, usually an hour or less PowerPoint or learning management sys-

tem-type course to address issues such as access authorization using the

identity management system and the handling on on-boarding and termi-

nations. During the on-boarding process, security awareness training, en-

suring that background checks are completed, and providing the new

hires initial access are subjects that may be covered. When the employee

or contractor is terminated, the manager usually has some responsibility

to enter information into the system and collect physical property such as

badges, credit cards, laptops, and tokens. Communicating these require-

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 28/60

ments through training can reduce the risk that these activities are not

occurring and increasing the exposure to the systems after the employee

leaves the company.

There are also specialized types of training depending upon the depart-

ment that may need to occur, such as training of the handling of a cus-

tomer care application, data center operations, and emergency response

training. Not everyone in the organization would need to do what is re-

quired in the event of an emergency in the data center, such as a fire,

however, the computer operators would need to know what to do to pro-

tect the data center and minimize the loss as well as how to safely

evacuate.

Continuous Security Reminders

A daily e-mail from the help desk explaining the latest security incident

would cause most users to set up an e-mail filter to move this type of e-

mail to the delete bucket. A balance of the security message must be

achieved whereby when the users see an information security message,

they are likely to read it and act upon it accordingly.

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 29/60

E-mails of the latest incidents as applied to the organization can be very

beneficial, especially if employees can relate to the issues in their own

home environment. The breach involving Epsilon in 2011 where there

was an exposure to the e-mail accounts of millions of customers to firms

such as Chase, Citigroup, and Verizon, caused e-mail messages to be

spammed and appeared to be coming from these organizations. This rep-

resented a great opportunity for organizations to communicate what was

occurring and educate the end users about protecting their accounts.

Since this occurred to many users as part of their personal computer in-

volvement outside of work, this also has a side benefit of demonstrating

the organization’s caring for the associate. These opportunities should be

leveraged, which increase the likelihood of compliance to the security

policies.

Utilize Multiple Security Awareness Vehicles

The potential avenues for security communication can fill a book by

themselves. Some of the avenues for communication include

Company newsletters

Posters

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 30/60

Learning management system online presentations

Brown bag lunches

Links on corporate intranet sites

Weekly e-mails

Logon page or scrolling marquee messages

Hosting a “security day”

Monthly, short three- to five-page presentations

Online quizzes

Online “scavenger hunts”

Security contests

Each of these methods should be considered as supplemental to the

classroom-type training that is delivered face-to-face in person annually.

Posters should also be used sparingly and typically in support of a spe-

cific security awareness campaign. Posters that utilize slogans tend to

have limited lasting power beyond the campaign period. Posters can

serve as a great advertisement for ongoing online training or classroom

training, but by themselves have limited value. If posters are used, care

should be taken to track where the posters have been displayed so that

they can be removed in a timely manner. The messages should be impact-

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 31/60

ful and address different security concerns beyond the “don’t share your

password” type of message. Relating the security message back to how

implementing security controls serves to protect the information for the

customers that entrust their information to us can be very impactful.

Security Officer Communication Skills

As discussed in Chapter 3 on Defining the Security Management

Organization and also in Chapter 4 on Interacting with the C-Suite, the

security officer must be able to interact with multiple levels of manage-

ment. Oftentimes when employees respond to the first survey that an or-

ganization issues on employee satisfaction, a frequent issue that surfaces

is lack of communication. What does this really mean? That the associate

did not feel listened to? That their ideas were not acted upon? That there

was not an avenue to provide input? That the manager or supervisor was

not sharing relevant news in a timely manner? It could be any one or

more of those items or something else.

The security officer must be able to communicate with individuals in

different levels of the organizational hierarchy, from the board of direc-

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 32/60

tors to the end users and everywhere in between. There are different per-

sonalities that must be communicated with, different styles of working

and different ways that people deliver, receive, and process information.

The subsequent techniques can improve the ability of the security officer

or any security professional to communicate with others.

Talking versus Listening

Many people appear to believe that they are best communicating when

they are talking, however, when we are listening and the other person

feels that he or she has been heard, our ability to communicate is much

greater. Unfortunately, we block ourselves from effective listening by not

paying full attention to the person speaking. Those who are good listeners

tend to draw other people to them; people confide in them and they be-

come a trusted member of the team. By not listening, it sends the message

that what they have to say is not very important. Critical information is

then missed and opportunities to demonstrate that the person is cared

about is also missed. True listening involves providing our full attention.

Roadblocks to Effective Listening

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 33/60

There are 12 roadblocks that get in our way of effective listening, that

make it hard for us to truly listen to what the other person is saying

(McKay, 1995). Because listening is so crucial in communications, we

should continuously be aware of our behavior when another person is

speaking.

1. Comparing—While the other person is talking, you are trying to deter-

mine if you have had that situation before, and was it worse or not.

They may be talking about an issue that you have had before, and the

thought is running though your mind, “Hey, it isn’t that tough to com-

plete that, why are they having a problem.” By comparing, it is difficult

to listen to what their problem is, as the mind is busy analyzing our

own past experiences.

2. Mind reading—Instead of focusing on what the person is saying, the lis-

tener is focused on trying to understand the meaning behind what they

are saying and interpret what different situation is driving the com-

ments. For example, they may be saying “I have worked long hours to

review these security violation reports, and I am tired of reworking

them,” while the listener is thinking, “Oh, they just had a long day be-

cause they are going to school in the evenings and are probably just

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 34/60

tired.” This may not be the case at all, and in fact the real issue is that

the rework is preventing other work from being performed.

3. Rehearsing—The mind is too busy thinking of what the listener will say

next, that they are not focusing on the message that is being delivered.

In this case, the listener “appears” to be interested in what is being

said.

4. Filtering—The listener listens just long enough to hear whether the per-

son is angry, unhappy, or in danger. Once the emotion is determined,

then the listening stops and focuses on other activities or plans that the

person is thinking about. The listener only hears half of what is being

said.

5. Judging—Judging occurs when someone is prejudged before they even

start talking. A negative label is placed on the person who devalues

what they may have to say. If the person is seen as unqualified, incom-

petent, or lacking necessary skills by the listener, they may discount

what they have to say. This causes insights to be missed that could pro-

vide valuable insight to the solution.

6. Dreaming—When the talker mentions a thought that causes you to

think of something in your own life that is unrelated to what they are

saying, this is dreaming. They may be talking about what happens if

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 35/60

the contract that the company is bidding on is not won, what will hap-

pen to the security staffing levels, but before they get to ask the ques-

tions, your mind has drifted off to the last company that you worked

for that lost a huge contract and how you hated going through the re-

duction in force motions with your staff.

7. Identifying—Similar to dreaming, in this case every thing the person is

telling gets related back by the listener to an experience in their own

life. This is commonly shown when people are talking about a situation

and then a similar situation is parroted back from the listener’s life.

8. Advising—In this scenario, the listener is too busy thinking of the solu-

tion to the problem from the first few sound bites that they miss impor-

tant information or fail to pickup on how the listener is feeling.

9. Sparring—Quickly disagreeing by the listener causes the listener to

search for items to disagree with. This can take the form of a put-down

where the talker does not feel listened to and possibly humiliated.

10. Being right—This person will go to great lengths to demonstrate that

they are right, including standing by their convictions, not listening to

criticism, making excuses, shouting, and twisting the facts.

11. Derailing—The conversation is ended by changing the subject and

avoiding the conflict. This is sometimes done by joking to avoid the dis-

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 36/60

comfort of having to discuss the subject.

12. Placating—The listener is very agreeable, as you want people to like

you, see you as nice, pleasant, and supportive. Listening may be at the

level just enough to get the idea of what is being said, however, you are

not fully engaged.

By being conscious of these blocks, they can be avoided to become a

better listener. There are also four steps to becoming a better listener, as

discussed in the next few sections.

Generating a Clear Message

Effective oral communication depends upon generating a series of clear,

straightforward messages that expresses the thoughts, feelings, and ob-

servations that need to be conveyed. Since over 90% of what we “hear” is

not from the words, but from the volume, pitch, and rhythm of the mes-

sage and the body movements, including facial expression, it is important

that our messages are congruent. We cannot be verbalizing the need for a

new, exciting security initiative with our posture slouched in the chair

and expect the recipient of the message to be as excited as we are (or po-

tentially not). Double messages should be avoided without hidden agen-

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 37/60

das. Over the long-term, hidden agendas serve to undermine the security

department’s credibility.

Influencing and Negotiating Skills

Not everyone is going to automatically sign up for the information secu-

rity initiatives, especially if this means spending money that could be al-

located to other programs, involves an increase in the number of rules or

adds perceived overhead to their business operations. To successfully ne-

gotiate when discussing a position, the security officer must be able to

separate the problem from the individual. Direct attacks based upon

prior experience with a particular department will not help gain its sup-

port. The key is to look at the security initiative that is being proposed

from the perspective of the person that you are trying to influence. It is

also dangerous to try to read the other person’s mind as noted in the pre-

vious section and come to prejudged conclusions of their support or non-

support of the project. It is OK to postulate in advance what the stakehold-

ers may think about the situation to assist with the preparations; how-

ever, it is not prudent to come to foregone conclusions about their

reaction.

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 38/60

Consider various options to implementing a strategy that may be pli-

able to the stakeholder. There is always more than one way to perform

something. A request by a business manager may be met with resistance

by the security officer. However, by brainstorming various options, one

of these solutions may be palatable, with some investigation, for both the

business manager and the security officer. Once options are determined,

these can be generated into requirements that are not demands but

rather where the solution is mutually agreeable.

Written Communication Skills

Written communication takes on several forms in today’s word from e-

mail, texting, twittering, social media (Facebook, Myspace, LinkedIn) post-

ing, report writing, policy/procedure writing, and memo writing. E-mail is

the predominant written form of communication and is much different

than writing a memo or a policy and procedure. Care must be taken to

know the audience and the purpose of the written communication.

Although e-mail is a very quick method to communicate across the orga-

nization, it is amazing how many e-mails people send that have incorrect

grammar, misspelled words, or use negative language. Since there is no

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 39/60

tone button on the e-mail that is sent, words must be chosen carefully so

as to not alienate the recipient. A simple request may turn into hurt feel-

ings if not written in a clear, nonconfrontational manner. E-mails are also

received almost as quickly as the send button is pressed, so extra care

needs to be made taken constructing the message. Although it may be

easy to become emotional over an issue, these are best handled by pick-

ing up the phone if they cannot be addressed using a fact-based, diplo-

matic written approach.

Presentation Skills

Presentations come with the territory and security officers will find them-

selves in the position of having to deliver a presentation to senior man-

agement. Since management has limited time, presentations need to be

focused with, “What do I hope to obtain or convey with this presenta-

tion?” Sometimes presentations will be an impromptu-type, such as the

30-second elevator speech, or it may be at the other extreme in the form

of a memorized speech. Most presentations are combination of the two,

whereby the presentation slides serve to guide the presentation, with

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 40/60

much of the material being an impromptu delivery (albeit prepared) by

the presenter. Presentation dos and don’ts are shown in Table 12.2.

Table 12.2 Presentation Dos and Don’ts

DO THIS DON’T DO THIS

Know the audience: General end

users? Technically oriented

users? Management?

Assume that the audience has the same

level of understanding.

Engage the audience by asking

questions.

Speak nonstop for 45 minutes or more

(beyond the normal attention span).

Use a mixture of audio, video, and

visual artifacts to make a point.

Exclusively using PowerPoint.

Translate the technical issues by

using analogies, stories, and

relating to common everyday

language.

Use technical security jargon when

unnecessary.

Make eye contact and use a

friendly demeanor.

Read the presentation slide by slide or

from note cards.

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 41/60

Answer their questions using the

no-dumb-question rule.

Act superior to the questioner by

failing to recognize their comments as

valid, albeit they may be coming from

a different perspective or disagree.

Ask questions early to get the

audience engaged.

Completely, but briefly, answer their

questions.

If unsure of an answer, open the

question up to the group.

Lose credibility by talking about

subjects that you have little

experience with.

Leave time for questions and end

the presentation 5 minutes early

to permit time for attendees to

make their next meeting.

Speak right up until the end of the

hour and not get the conclusion or

discussion of options completed.

Focus on a few main objectives

for the presentation.

Provide histories (organization,

computing) that are not related to the

current discussion.

Keep the type text at least 24 font

point.

Use graphics that are hard to see or are

distracting (e.g., excessive use of

animation).

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 42/60

Speak with a microphone in

larger rooms so the audience in

the back of the room can hear.

Assume that your voice is loud enough;

some individuals may not be able to

pick up the modulation properly.

Applying Personality Type to Security Communications

Ideas emanating from the early work of Carl Jung, a Swiss psychologist,

were extended through the development of an instrument to indicate per-

sonality type differences by Isabel Myers and her mother Katharine Cook

Briggs in 1943 (Myers, 1995). This later became known as the Myers-

Briggs Type Indicator, or MBTI, which has been taken by millions of peo-

ple. The MBTI is a very powerful tool, which at its simplest form breaks

down all of the personalities into 16 types. Understanding each of these

16 types can help the security organization communicate more effectively

with different individuals based upon their type. In other words, it helps

to know how they may be wired to understand how they take in informa-

tion, make decisions, where they get their energy from, and how they or-

ganize their lives.

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 43/60

The Four Myers–Briggs Type Indicator (MBTI) Preference Scales

The complete psychology explanation of the 16 types is well beyond the

scope of this book, but there are many useful books written on the MBTI

type noted at the end of this chapter. However it is useful to provide a

brief primer on the 16 types and, more important, what the implications

are for the information security department. There are four scales, with

each person having a natural preference for one of the two opposites on

each scale. While we all use each of the oppo-sites at different times, one

scale feels more natural to us most of the time. This natural tendency be-

comes our preference or the place where we are the most comfortable.

The combination of the four scales, with two opposite values, yields 16

combinations of letters. Each set of letters yields a describable personal-

ity, not in a stereotypical manner, but rather a mechanism to explain the

personality and what may be expected behavior, career interests, reac-

tions to certain events, and so forth from that personality type. It is im-

portant to note that no “preference” is better than another, it is just dif-

ferent. Each of us uses all of the dimensions of preference at some point,

and we flex our behaviors depending upon the situation. For example, an

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 44/60

introverted parent may flex their extraversion when providing discipline

to a child.

Extraversion versus Introversion Scale   The first preference is about

where you prefer to get your energy: the external world (extraversion, E)

or from the inside world (introversion, I). Extraverts tend to get energy

from the people, interactions, and events, whereas introverts tend to de-

rive their energy from their internal thought, feelings, and reflections. It

is sometimes said that extraverts are processing information as they are

talking, while introverts tend to crystallize the idea internally first before

speaking. Introverts draw their energy from being alone, while the ex-

travert may feel drained by spending long periods without interaction.

Table 12.3 shows some of the characteristics of extraverts and introverts

(Kroger and Thuesen, 1992).

Table 12.3 Where Do I Prefer to Focus My Energy (Inner or Outer World)?

EXTRAVERSION (E)—TUNED INTO

OUTER WORLD OF PEOPLE AND

EVENTS

INTROVERSION (I)—DRAWN TO

INNER WORLD OF IDEAS AND

EXPERIENCES

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 45/60

Seek interaction Like to be alone

Enjoy groups Enjoy one-on-one conversation

Act or speak first, then think Think first, then speak or act

Sociable and expressive Think to themselves

Expend energy Conserve energy

Focus outwardly Focus inwardly

Take initiative in work and

relationships

Quiet, reserved

Like variety and action Like to focus on one thing at a time

Outgoing Enjoy reflecting

Breath of information Depth of information

Sensing versus Intuition Scale   This preference indicates how informa-

tion is gathered. Sensing (S) individuals prefer to take in information

through their senses, such as seeing, hearing, smelling, and so forth, to

see what is actually happening. They are observant of what is going on

around them and very good at determining the practicality of the situa-

tion. Information presented is preferred to be delivered in a very specific

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 46/60

manner. Sensors tend to prefer to be presented with the facts and details

of what they are reviewing. About 70% of the world prefers to gather in-

formation this way.

Individuals that prefer to see the big picture to take in information

most likely prefer intuition (N) to gather information. They focus on the

relationship between various facts, facts that may not appear to have any

relationship to the sensor. They are good at seeing new possibilities and

new ways of doing things. Table 12.4 shows some of the characteristics of

sensing and intuition preferences.

Table 12.4 What Kind of Information Do I Normally Pay Attention To?

SENSING (S)—FOCUS ON

CONCRETE, REAL, ACTUAL

INTUITION (N)—FOCUS ON ABSTRACT,

RELATIONSHIPS, PATTERNS

Prefer facts, concrete data Prefer insights

Value practical applications Value imaginative insight

Present oriented Future oriented

Focus on reality, details,

specifics

Focus on the big picture, possibilities

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 47/60

Like step-by-step instructions Like to jump around, move in anywhere

Pragmatic Speculative

Value common sense Value innovation

Thinking versus Feeling Scale   How decisions are made is attributed to

the decision-making preference, which has two ends of the scale, thinking

(T) and feeling (F). Thinkers tend to look at the logical ramifications of a

course of action. The goal of the thinker is to make a decision from an ob-

jective viewpoint and tend not to get personally involved in the decision.

They are often called firm minded and seek clarity in the decision. They

are good at figuring out what is wrong with something so that problem-

solving abilities can then be applied. The feelers tend to approach deci-

sion making based upon what is important to them and to the other peo-

ple. While the decision making of the thinker may gravitate toward what

is right, lawful, or concludes with justice, the feeler may base the decision

on person-centered values to achieve harmony and recognition of other

individuals through understanding, appreciating, and supporting others.

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 48/60

In short, feelers tend to prefer empathy over intellect. Table 12.5 shows

some of the characteristics of thinkers and feelers.

Table 12.5 How Do I Make Decisions?

THINKING (T)—ANALYTICAL,

LOGICAL CONSEQUENCES,

PRINCIPLED

FEELING (F)—CONSIDER

IMPORTANCE TO THEM, OTHER

PEOPLE AND VALUES

Firm minded Gentle hearted

Objective, convinced by logic Subjective, convinced by values

Laws, justice, policy Humane, social values

Reasonable Compassionate

Logical problem solvers Assess impact on people

Don’t take things personally Likely to take things personally

Good at critiquing Good at appreciating

Judging versus Perceiving Scale   The last preference indicates the pref-

erence as to how you orient your world. Judgers (J) want to regulate and

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 49/60

control life by living in a scheduled, organized, and structured way. They

do not like things unsettled and want order in their lives. They enjoy their

ability to stick to a schedule and get things done. For the judgers there is

usually a right way and a wrong way to do things.

Perceivers (P) prefer to be flexible and adaptable in different situations.

They want to be able to be spontaneous and flexible to rise to the oppor-

tunity as it presents itself. They are called perceivers due to their ability

to keep collecting new information, rather than draw premature conclu-

sions on a subject. In other words, they prefer the open-endedness and

ability to change their decision based upon new information. Table 12.6

shows some of the characteristics of judgers and perceivers.

Table 12.6 How Do I Organize My World?

JUDGING (J)—PLANNED,

ORDERLY, CONTROLLED LIFE

PERCEIVING (P)—FLEXIBLE,

SPONTANEOUS, EXPERIENCE LIFE

Seek closure, things settled Seek openness

Value structure, goals Like flexibility, tentative

Scheduled, methodical Spontaneous, flexible

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 50/60

Systematic Casual

Like closure and have things

decided

Like to have their options open, able to

change

Avoid last-minute stresses Energized by last-minute pressures

Enjoy completing projects Enjoy starting projects

Determining Individual MBTI Personality

Using the aforementioned descriptions and characteristics, by now it

should be possible to determine your approximate MBTI or set of four let-

ters describing your personality. This can be used as a guide for the next

section in determining the individual temperament. The actual determi-

nation of the letters is more accurately determined by taking an assess-

ment of the MBTI® by Consulting Psychologists Press, containing more

than 200 preference questions and determining the letters with more ac-

curacy (CPP, 1993). In real life, we have to learn to approximate the

Myers-Briggs of our peers, unless we ask them if they know what theirs

are, as they are not going to take a 200-plus question assessment for us!

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 51/60

Over time, speed reading the types for individuals become easier and a

very valuable tool for interacting with others.

The Four Temperaments In an effort to distill the 16 types into common-

alities for ease of discussion, David Keirsey portioned the 16 types into

four temperaments by grouping the Sensing-Perceiving (SPs), Sensing-

Judging (SJs), Intuition-Thinking (NTs), and Intuition-Feeling (NFs)

(Keirsey, 1998). Although there are individual differences due to the other

two letters that make up each set of 4 letters (for an individual’s personal-

ity), there was a strong commonality within these groups, which simpli-

fies the discussion of their temperament.

Following is a brief description of some of the characteristics of person-

ality types that fall into each of the four temperaments, along with the im-

plications as to how security should be communicated with each temper-

ament. For example, the SJ temperament consists of those individuals

who have the ESTJ, ISTJ, ESFJ, or ISFJ personality preferences. For exam-

ple, the ESTJ natural preferences are to obtain their energy from ex-

traversion, gather information through sensing (concrete, detail-ori-

ented), make decisions based upon thinking (logical, analytical values),

and orient their world through Judging (schedule oriented, organized).

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 52/60

The ESTJs share some common characteristics with the other SJs (ISTJ,

ESFJ, ISFJ), even though they may vary on one of the other dimensions.

SJ “Guardian” Temperament Those personality preferences sharing the

SJ temperament (ESTJ, Supervisor; ISTJ, Inspector; ESFJ, Provider; ISFJ,

Protector) share characteristics of being reliable, organized, task focused,

and hard working at their best. At their worst, they may be perceived as

being judgmental, controlling, inflexible, or close minded. They typically

respect the laws and traditions of society, like to be in charge, have a stan-

dard way of doing things, expect others to be realistic, strive to belong

and to contribute, have high expectations of themselves and others, are

critical of mistakes and may fail to reward expected duties, have diffi-

culty refusing to take on other assignments, and do not like surprises.

They are also good at anticipating problems.

While people of any temperament can be successful at any job, there

are some careers that attract this temperament more than others. The SJ

temperament may choose careers as a project manager, regulatory com-

pliance officer, budget analyst, chief information officer, bank

manager/loan officer, government employee, administrative assistant,

nurse, auditor, pharmacist, engineer, or an accountant. These are jobs

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 53/60

typically involving adhering to a set of rules and standards without a

large amount of ambiguity, which is attractive to the SJ temperament. SJs

are also attracted toward positions that can create financial security.

When communicating information security issues with the SJ tempera-

ment, it is important that if something was done wrong, that regret is ex-

pressed and a simple I’m sorry is used. This can set things straight and al-

low the SJ to move forward. SJs should be appreciated for their responsi-

bility and willingness to handle the details of the situation in the form of

compliments. For example, individuals in the security group managing

the very detailed logging and monitoring may be of the SJ temperament

as evidenced by their willingness to handle and organize the vast amount

of detail.

Commitments must be kept with SJs to win their trust. If the CEO is an

SJ and there were promises made to implement a security initiative by

the end of March so that a new product could be launched in May, the

CEO who shares this personality type preference will most likely be less

forgiving than the SP type, for example, when the deadline is not met.

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 54/60

Communications with SJs should be specific and practical, as Dragnet’s

Joe Friday would iterate, “Just the facts ma’am. Just the facts.” SJs are also

resistant to change and need to be brought into change more slowly with

logical reasons for the change. However, once the change has been em-

braced, they can be one of the strongest supporters of the change.

SP “Artisan” Temperament The SP temperament (ESTP, Promoter; ISTP,

Crafter; ESFP, Performer; ISFP, Composer) personality types may be

viewed as the action seekers. They may be viewed as optimistic, generous,

fun loving, adventurous, realistic, and adaptable at their best, or hyperac-

tive, impatient, impulsive, and scattered at their worst. They enjoy life in

the here and now, highly value freedom and action, like risk and chal-

lenge, are spontaneous, may be perceived as indecisive, are observant,

ask the right questions to get what they need, respond well to crisis, like

short-term projects, and dislike laws and standard ways of doing things.

This is sharp contrast to the SJ temperament previously discussed, which

thrives on standards and ensuring that the rules are being followed.

For career selections, the SPs tend to gravitate toward careers that per-

mit them to experience life versus a means toward an end. Potential ca-

reer choices for the SJ may include emergency room nurse, medical as-

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 55/60

sistant, photographer, police officer, public relations specialist, fire/ insur-

ance fraud investigator, news anchor, airline mechanic, marine biologist,

or paramedic/firefighter. In the security field, individuals wanting the ex-

citement of responding to a disaster recovery situation or an intrusion

may gravitate toward this area.

When communicating with the SP temperament, appreciation should

be shown for their enthusiasm, common sense, and ability to deal with

crisis. Joining in some of their activities may be appropriate, such as an

invitation to meet them and a group of security vendors after work.

Business executives of this type may be part of the golf club or bowling

league, and this would be a good opportunity to network with these indi-

viduals and build rapport to create a nonadver-sarial environment. Given

choices and alternatives, those sharing the SP temperament will want to

do things their own way in their own timeframe. Issues should be pin-

pointed and overwhelming them with information avoided. They also do

not like being told how to change or what to do.

NF “Idealist” Temperament Those sharing the NF temperament (ENFJ,

Teacher; INFJ, Counselor; ENFP, Champion; INFP, Healer), known as the

ideal seekers, share the characteristics of being compassionate, loyal

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 56/60

helpful, genuine, warmhearted, and nurturing at their best, or may be

perceived as moody, depressed, or oversensitive at their worst. They are

stimulated by new ideas, take an antiauthoritar-ian attitude, often side

with the underdog, see possibilities in institutions and people, search for

meaning and authenticity, self-actualize, maintain close contact with oth-

ers, give freely and need positive appreciation, and are good listeners.

NF temperaments may gravitate toward jobs such as psychologist, soci-

ologist, facilitator, career counselor, travel agent, human resources re-

cruiter, teacher (health, art, drama, foreign language), social worker, or

hotel and restaurant manager.

When communicating with the NF temperament, cards, gifts, compli-

ments and adoration go a long way. They are sensitive to criticism, so ex-

tra tact is necessary. Patience is needed to understanding of their need to

express their feelings. Their support can be gained by appealing to their

creativity and vision of their ideals.

NT “Rational” Temperament Individuals sharing the NT temperament

group (ENTJ, Field Marshal; INTJ, Mastermind; ENTP, Inventor; INTP,

Architect), known as the knowledge seekers, have strengths of being in-

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 57/60

novative, inquisitive, analytical, bright, independent, witty and compe-

tent at their best, or they may be perceived as arrogant, cynical, critical,

distant, or self-righteous at their worst. They work well with ideas and

concepts, value knowledge and competency, understand and synthesize

complex information, anticipate future trends, focus on long-term goals,

like to start projects (although not as good on follow-through), not always

aware of other’s feelings, aim for mastery, and deal with the day-to-day

details but have little interest in them.

Knowledge seekers may be found as an executive, senior manager, per-

sonnel manager, sales/marketing manager, technical trainer, network in-

tegration specialist, technical writer, investment banker, attorney, psychi-

atrist, database administrator, credit analyst, technical project manager,

architect, or Web developer/computer programmer.

When communicating a security concern or initiative with the NT tem-

perament, the security professional should attempt to appreciate their ob-

jectivity, quick minds, and knowledge. Since they value mastery in what

they do, conversations that are intellectually stimulating should be pur-

sued, feelings should be avoided in conversation, and debate with them,

letting them know frequently you value their insights. Many of the techni-

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 58/60

cal staff involved in connecting patterns together, such as the network en-

gineers or database administrators, can become supportive of the secu-

rity program by simply asking them for their input and genuinely incor-

porating their insights into the security strategy and subsequent

implementations.

Summing Up the MBTI for Security

Communication is so important and goes well beyond providing a written

report or an oral presentation; it is how we interact with others on a daily

basis. As the security program must remain credible to be effective, we

must ensure that we are communicating the security messages clearly,

and in a manner in which they will be heard. We tend to communicate by

default by the manner that we are comfortable receiving. Unfortunately,

and fortunately, we are not all the same, and we take in and process in-

formation differently. To be successful within the organization, the secu-

rity officer and his or her team need to be able to communicate at an ap-

propriate level with others within the organization. Understanding the

differences in personalities will increase the effectiveness of the security

message that needs to be delivered.

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 59/60

1.

2.

3.

4.

5.

Suggested Reading

McKay, M., Davis, M., and Fanning, P. 1995. How to communicate: The ultimate

guide to improving your personal and professional relationships. New York: MJF

Books.

National Institute of Standards and Technology (NIST). October 2003. Special

Publication 800-50: Building an information security technology security aware-

ness and training program, http://csrc.nist.gov/publications/nistpubs/800-

50/NIST-SP800-50.pdf

National Institute of Standards and Technology (NIST). October 1995. Special

Publication 800-12: An introduction to computer security: The NIST handbook.

http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf

Herold, R. 2005. Managing an information security and privacy awareness and

training program. Boca Raton, FL: Auerbach.

Tieger, P. D., and Barron-Tieger, B. 1998. The art of speedreading people: Harness

the power of personality type and create what you want in business and in life.

Boston: Little, Brown and Company.

5/4/23, 4:05 PM Chapter 12 Effective Security Communications | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/023-9781466551282-012.xhtml 60/60

6.

7.

8.

9.

10.

11.

Tieger, P. D., and Barron-Tieger, B.1998. Do what you are: Discover the perfect ca-

reer for you through the secrets of personality type. Boston: Little, Brown and

Company.

Myers, I. B., and Myers, P. 1995. Gifts differing: Understanding personality type, 2nd

ed. Palo-Alto, CA: Davies-Black.

Kroeger, O., and Thuesen, J. M. 1992. Type talk at work. New York: Tilden Press.

Bolton, R., and Bolton, D. G. 1996. People styles at work:Making bad relationships

good and good relationships better. New York: Ridge Associates.

Keirsey, D. 1998. Please understand me II: Temperament, character, intelligence. Del

Mar, CA: Pometheus Nemesis.

Myers, I. B.1993. Introduction to type, 5th ed. Palo Alto, CA: Consulting

Psychologists Press, Inc.