Hord Tipton, executive director of ISC2, believes that organizations have to be serious about security awareness if it is going to be of any value.
"You have to do it much more often than what's being usually being done," he says. Many organizations believe that one hour of training once a year is sufficient. "Frankly, I think that's totally wasted time. Worse, it creates a false sense of security."
Add Living Books to Your Next Security Awareness Event
What is a Human Library?
A Human Library (offsite link to http://humanlibrary.org/) is a technique to promote dialogue, information interchange, reduce prejudices, and encourage understanding. A Human Library consists of a group of individuals who have agreed to share their knowledge (i.e., information that’s in their head) with others. A Human Library can be a single event with defined start and end times or an ongoing activity where the Living Books come and go much like books are checked in and out from a conventional library.
To create a Human Library for security awareness, set up a space, such as a conference room, auditorium, or cafeteria where your "Living Books" are available for checkout. Living Books are people you have recruited for this event who have experiences of interest to your audience. Visitors to your library could check out the human books for 15 minutes at a time to speak informally and ask them questions about their experiences or how to address a particular problem.
The librarian is the person who organizes the Human Library event. The librarian recruits and interviews book candidates, then prepares a short description of the books for readers. The librarian may also provide readers with questions to get the conversations started.
The experiences that might increase security awareness in living books include:
Someone who lost their job as a result of something posted on the Internet
Information System Security Officer
Senior executive responsible for security policy
Electronic Frontier Foundation member
Information security blogger
Living Books should be volunteers that are recruited with care to ensure that they are committed and are willing to talk with strangers about important and sometimes very personal issues. Recruit titles that can be linked with current events locally. For example, if a recent data breach resulted in compromised information, look for someone whose identity was stolen as a result.
Interview book candidates to ensure the quality of books. Ask the book about their title and motivation to be a book. This is to ensure that books are focused on supporting awareness.
Readers can check out a book for 15 minutes, and can extend that time if no one else is waiting to check out that book. Books can check out other books if no one is waiting.
There are no stupid questions. A reader can safely ask any question without fear of ridicule. A Human Library provides an opportunity to ask the information security questions you always wanted to ask, but were afraid that asking would make you appear naïve.
The best sellers are defined as the books that have the most requests for loans.
Ask books, readers, and librarians for their comments on their Human Library experience.
Ask the books if they would be a book again.
Ask if people felt that they benefited from the event.
Ask the books if they learned anything from the readers.
What books would you want to read?
What questions would you want to ask a Living Book?
Send your ideas and comments to Kaie at Native Intelligence dot com.
Ruth Bandler of FDA suggested that if the Living Books could get continuing education credits (for example, a CISSP might be able to apply the time toward the CISSP CPE credit requirement), this would encourage volunteers.
Note: Native Intelligence, Inc. is not affiliated with The Human Library; we just think it’s a great idea that can be adapted for security awareness events.