One Article Review
| Source |  NoticeBored |
|---|---|
| Identifiant | 409083 |
| Date de publication | 2017-09-12 16:58:10 (vue: 2017-09-12 16:58:10) |
| Titre | NBlog September 12 - Security Culture Framework |
| Texte |  In preparing for our forthcoming awareness module on security culture, I've been re-reading and contemplating Kai Roer's Security Culture Framework (SCF) - a structured management approach with 4 phases.1. Metrics: set goals and measureSpeaking as an advocate of security metrics, this sounds a good place to start - or at least it would be if SCF explored the goals in some depth first, rather than leaping directly into SMART metrics: there's not much point evaluating or designing possible metrics until you know what needs to be measured. In this context, understanding the organization's strategic objectives would be a useful setting-off point. SCF talks about 'result goals' (are there any other kind?) and 'learning outcomes' (which implies that learning is a goal - but why? What is the value or purpose of learning?): what about business objectives for safely exploiting and protecting valuable information?SCF seems to have sidestepped more fundamental issues. What is the organization trying to achieve? How would what we are thinking of doing support or enable achievement of those organizational objectives? Security awareness, and information security as a whole, is not in itself a goal but a means to an end. I would start there: what is or are the ends? What is information security awareness meant to achieve? Having discussed that issue many times before, I'm not going to elaborate further on today, here except to say that if the Goals are clear, the Questions arising are fairly obvious, which in turn makes it straightforward to come up with a whole bunch of possible Metrics (the GQM method). From there, SMART is not such a smart way to filter out the few metrics with a positive value to the organization, whereas the PRAGMATIC metametrics method was expressly designed for the purpose.SCF further muddies the waters by mentioning a conventional Lewin-style approach to change management (figure out where you are, identify where you want to be, then systematically close the gap) plus Deming's Plan-Do-Check-Act approach to quality assurance. I'm not entirely convinced these are helpful in setting goals and identifying measures. I would have preferred to elaborate on the process of analyzing the organization's core business, teasing ou |
| Envoyé | Oui |
| Condensat | 4 aside having i scf there those true about above absent access achieve achievement act actively activities activitiesthe activity adjusting adult advantage advice advocate after again aimed all almost along already also although ambassadors analyzing another any approach approaches are area arising aside aspects assurance attention audience audiences awareness bad barely basic because become been before begin bit book both broad build builds bunch business business/organizational but call can career carefully cases champions change changes check choose choosing clarifying clear clearly close come comes communicate communications compliance computer concern concerns conclusionscf confused confusing considerations conspicuously contemplating content context conventional convinced core could course courses cover crafting created critique cultural culture customize david deciding defining delivered delivers demands deming departments depth designed designing despite determining developing different differently directly disappointed discussed discusses discussion distinct doing don down drivers during earlier easiest education elaborate else emerge emphasis employee employees enable enables encouragement end ends enforcement engaged enough entire entirely equivalents establishing evaluating eventually every example example: examples excellent except excluded executescf executives explicitly exploiting explored expressly extended fact factor fair fairly feel figure filter find first flows focus focusing fool forms forthcoming framework framework framework: from fully function functions fundamental further gap gdpr general gentle get getting given goal goals going good gqm groups guide hang hard has have helpful hence here here: herold hierarchy highly hinting hmmm hooks how human idea ideas identify identifying impact impart; implications implies important in induction include including indeed individual inevitably inform information initially interest interests interfere internal internalize introducing involve involved ironic issue issues itself just kai kind know lacey leaping learning least leaving legal/compliance lewin lifecycle like limiting little local long lose lost lot lots make makes management managers managing many map marketing matches materials matter maturity may means meant measured measures measurespeaking mechanics mentioned mentioning mentions messages metametrics method methods metrics metrics: might mitigate module monthly more mostly motivation move moves much muddies muddled must name nblog need needs nervous new nominating not note noted noticebored novel numbering objectives obvious off officer old omissions one only opportunities opportunity organization organization: organizational organizing orientation other out outbreaks outcomes over overall overlap overview parallel part patently people peopleinvolving per perceptions perhaps periodically personnel perspective persuade phases picks place plan planned planner: planning plus point points policies positive possible powerful practice pragmatic prefer preferred preparing previous privacy probably problem process professionals program project promotions prompted protecting psychology purpose purposes: put quality que questions quite ransomware rather reading reasons: rebecca receive recent recommend recruiting reference regular regulations relevant relocation resist resource responsibilities result results reviewing right rights risk risks roer routines rules run s security safely said say scf second security seems segments seize sense september sequencing sequential seriously set setting several should sidestepped since situations slow smart socializing some someone something sometimes sound sounds stage stages standard start step stimulated straightforward strategic strategies streams strong structured stuff style styles subdivide succinct such sufficiently support supports sure system systematically tailored take taking talks target targets team teasing term terms than that the |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.