Technology Risks: October 2014

Friday, October 3, 2014

5 Steps to Take in Security Incident Role Plays

Role plays are effective forms of learning. It is natural to all of us. When children gather they role play. However, as we become adults we mostly shy from role playing unless we see the motivation to do so.

Role play is effective because it involves all our senses to arrive at conclusions based on a scenario and some goals. It is way better than the archaic 'Sage-on-Stage' style of lecture.

But role play requires more preparation, time and patience. The facilitator must also be very knowledgeable in the domain knowledge to literally hit the ground running.

Information security is an ideal subject to be taught with role play. It is by itself dynamic and action oriented. Information security architecture, design and implementation of technical and non-technical controls, essentially pre-empts certain fraudulent or unauthorised actions from taking place. Given such dynamism, students of information security need to have the presence of mind to relate and react to incidents.

For facilitators, here are 5 Steps to Take in Security Incident Role Plays:

1. Create a scenario

If you have not encountered a real-life one, look them on the Internet.
Make modifications to the scenarios so that they protect the guilty and the victim in the incident.
Make modifications so that it is practicable for a classroom role play. For instance, if there is going to be roofs collapsing in the scenario, you have to think of ways to simulate it effectively.
Try to make the exercise visual. It is easier for your participants to react to.

2. Assign roles

Put depth into your character. Give your roles the motivation and the penalties for failure.
Put boundaries to what they are allowed to do and otherwise. This is not to limit their creativity, but to pin them down to some realities in an incident. For instance, it is unlikely that they will have an unlimited budget to solve the problem.

3. Break each role into groups for discussion

Ensure that everyone in the group participates and there are no passengers.
Allow the participants to learn from their commonsense - effectively starting in the middle from an observation and building their findings upwards or downwards in the hierarchy of knowlege.
Sometimes, you may have to intervene to ensure that there is fair discussion, that no one is trying to impose their values on the other. Note that this is not necessarily taking sides of who is right or wrong.

4. Video the role play

With today's very affordable access to technology, it costs next to nothing to record the performance.
It is fun and it compels the participants to take the exercise seriously. In odd cases, you may get groups of them giggling and laughing all the way through their performance.

5. Review of what is learnt

List down what is learned.
Rationalise the list and compare it with what is established in the text book or industry practice. Are they different? Discuss why.
Note the gaps of what is still not realised or learned and plan them as learning goals in the next role play exercise.

I have listed the minimum to execute a role play. You can improve it further by carrying out the exercise outside the comforts of the classroom to somewhere as close to the real deal as possible; you can use props, real equipment and use audio-visual effects. Most of which are very affordable these days.

Watch this space for the next article about "Learning Programme Development".

There, you move to managing knowledge in the organisation, prioritising the areas of upgrade, planning internal skill mobility and leveraging the skills to grow the business.

I am a technology management consultant and a course facilitator. I have more than twenty-five years of experience in the IT industry and specialise in information security and risks. This profession has taken me to live in many countries in Europe, Africa, Australia and Asia for twenty years, meeting many competent practitioners in the process.

This blog is for my clients, my students and anyone interested in technology management and the risks that come with it.

It enumerates the various industry best practices to mitigate real world risks, which will also include: my anecdotes; videos and links found elsewhere in Cyberspace. I mean, why reinvent the wheel when there are already good stuff out there?

This will save you some time foraging the Internet for good quality material to study or apply at work.

Do let me know when you find even better materials out there, so that I can post them here and more people will benefit from it.

Some of my clients are:
Standard Chartered Bank, Astrazeneca, S.W.I.F.T., Shell, Barclays Bank, European Commission, Lloyds-TSB, BHP, South African Directorate of Communications, HP, IBM, Philip Morris, Belgacom, Flemings Asset Management Luxembourg, Octopus (HK), Protonworld, Riyad Bank, Al-Rajhi Bank, Saudi-Hollandi Bank, RHB Group, Mandiri Bank, UOB Bank, BNI Bank, Jebsen and Jessen, CEGB (UK), Temasek Polytechnic, Embry-Riddle Aeronautical University Asia.

Contact:

Michael Chua

mysticmichael@gmail.com

Services:

1. Vulnerability Testing
- Computer and Network Infrastructure Tests
- Configuration, Compliance and Inter-operability

2. Risk Assessment
- Total Defence Inspection
- Beyond computers and technology
- Risk Quantification and Management

3. Information Security Operations
- Policy, Process and Procedure
- Scenario Planning
- Crisis Management Rehearsals

4. Information Security Design and Development
- Organisational Structure
- Security Control Implementation
- System Release

5. Awareness Campaign
- Educating the public, employees and business partners about the importance of secure practices

6. Business Continuity Planning and Management
- Physical Crisis
- Technology Crisis
- Epidemics