Sermon - TLIS - 1.2.6 - Security awareness, training, education
Deuteronomy 5:1
Moses summoned all Israel and said: Hear, Israel, the decrees and laws I declare in your hearing today. Learn them and be sure to follow them.
Job 34:4
Let us discern for ourselves what is right; let us learn together what is good.
Ecclesiastes 1:17
Then I applied myself to the understanding of wisdom, and also of madness and folly, but I learned that this, too, is a chasing after the wind.
Acts 26:24
At this point Festus interrupted Paul’s defense. “You are out of your mind, Paul!” he shouted. “Your great learning is driving you insane.”
I have come to a concept in information security on awareness, training, and education. It is vitally important in security, and also in business in general. As a teacher, it is personally very important to me. I have the feeling that it's very important to the Christian life as well, but I must admit I am having trouble clarifying precisely how in my own mind.
I must admit that my colleagues in the field of information security do not all share my enthusiasm for security awareness training. In the same way that GK Chesterton said "The Christian ideal has not been tried and found wanting; rather, it has been found difficult and left untried," so too, security awareness has not been tried and found wanting, but rather it has been assumed to be found wanting and has not been tried.
In security, we consider awareness to be what everyone needs to know. All workers need to be aware of common attacks on the enterprise or themselves, the importance of security to the enterprise and to themselves, and the fact that security is everybody's business. Specialists, who are responsible for particular applications, databases, or pieces of equipment, need to have particular and targeted training in regard to those responsibilities. Then there are the professionals, who need to have a broader understanding of the entire field of security, and the management and planning for its implementation and structure.
Awareness is broad and not terribly deep or specialized. The common attacks mentioned might include frauds and scams conducted against individuals; spear fishing, specifically targeting an organization through acquiring detailed knowledge of the internal structures; things like computer viruses and malware which attack in a scatter-shot type of operation; and specific attacks that might be mounted against this particular enterprise. Awareness is conducted in terms that are possibly most appropriate to advertising. Using cute and memorable phrases to bring certain types of attacks and protections to mind. Handing out trinkets with reminders of specific protections and concepts. Repetitions of the same messages over and over again. It is important that the repetitive material be modified, on a regular basis, to say the same things but in a new, and possibly more memorable, way.
Training is, as I say, for specialists. Specialists who own certain databases, or are responsible for particular applications that are crucial to our enterprise, or particular devices that provide resources for us. There will be specialty training on the operations of these entities, but there will also be specific training on the importance of particular types of security for these special resources.
The professionals and managers of information security have a broader responsibility. At the same time, they probably are going to have specialties of their own, possibly acquired as they rose through the ranks of the enterprise and the field of security itself. However, it is important that these professionals have a very broad overview of security and the sum total of all the domains and fields that it contains. They must be able to talk with specialists, not so much to ensure that they fully understand the specialty, but at least to the point where they can communicate with the specialists and obtain the greatest benefit out of a specialist contractor's knowledge.
I am trying to consider whether there is an appropriate mirror in the Christian life. My initial reaction is that there is. For example, is there an area of knowledge that all believers, and by extension all people to whom we are supposed to be delivering the Good News, need to know. Then is there a separate level of training that needs to be directed at, for example, ministers, pastors, para-church leaders, and those among the laity who wish to improve their own understanding of the Christian life? And then, of course, there is the education level that would be the province of theologians and possibly the faculty of seminaries and colleges.
But immediately I run into a bit of a problem. Is the awareness of the Christian message to be for believers only, or is it to be spread, as the Great Commission would have it, to all nations? And how far does the content of the message of the Gospel, itself, extend? Are we content to tell of the instruction to love God, love your neighbor, and spread the message? Do we go slightly further and have as a curriculum the contents of the little booklet about the four spiritual laws? Given that the Bible is the most widely available book in the world, is that the curriculum? (Even though nobody reads it any more.) What about individual Bible reading? What about individual prayer time? What about small groups, either for prayer or for Bible study? Should we encourage, in terms of the awareness of the original Biblical languages, at least some kind of teaching about the alphabets, if not the actual languages themselves?
Also, in regard to awareness level education, is it good enough that we focus on simplistic repetition of cant phrases, and the provision of trinkets?
Should Christian education be a one size fits all endeavor? Should questions of Christian life, experience, and even theology, be suitable for everyone?
Regent College, on the campus of the University of British Columbia, is a theological college and institution of international renown. A number of people consider it to be a type of seminary. However, even from its beginnings as an institution, Regent College has had a specific distinctive of providing theological education for the laity itself. Anyone who is interested can come and take Advanced Theological Courses of Study. I highly respect Regent College, but in this situation it is causing me a bit of trouble. Does it belong to the awareness level of education for the laity, along with Bible colleges that provide a much lower level of education, or does it belong in the training section for specialists, or those involved in the ministry? Or, given the status of the faculty, is it an institution of professionals?
In regard to the question of whether the Christian message should be only for believers, or spread to others, non-believers, to all nations:
In terms of the provision of awareness training, in information security, to the general employees and workers of a company, I have frequently proposed an expansion of this endeavour. I hold that, particularly with regard to issues such as scams, frauds, and malware, that provision of training to the general public, outside of the company or enterprise, does, in fact, benefit the enterprise.
In regard to the attack by a single attacker on an enterprise, the warning and suggestion of protections to the general public may be seen as having no benefit. After all, if the attacker is attacking an outside individual, he is not able to concentrate on attacking the enterprise. However, in the case of malware, and particularly computer viruses, the infection of a machine outside the enterprise actually increases the risk to the enterprise. A machine that is infected will be firing out copies of the virus, not particularly directed, and spread in a shotgun spread, but some of those infections are likely to hit machines and accounts related to the enterprise. Therefore, this increases the risk to the enterprise. By extension therefore, mentioning or providing security training to the public, even at a cost to the enterprise, is a benefit to the enterprise by reducing the total threat environment that can be attacking the enterprise at any given time.
Can we extend this to the Christian life? Is there a benefit in conducting evangelical campaigns, to the local church? Yes, evangelical campaigns are what we are instructed to conduct, but is there a benefit to us as the local church? Certainly, if the campaign is successful, and we obtain additional Church members, this does help the church. But, by extension of the idea of companies and enterprises conducting public security awareness training, simply as a public good, and thereby obtaining a benefit from it, by the same token, it would appear that there is some benefit to the church, of conducting evangelistic campaigns, regardless of whether or not individual results from that campaign result in additional members to the specific local church.
Before we move on to the next level, that of training of specialists, you may be somewhat perturbed at my mention, earlier, in regard to security awareness training, of the importance of repetition. You may think that the simple jingles and constantly repeated catchphrases of advertising are inappropriate in regard to the education of the general laity and members of the church. If so, I would remind you of the main delivery method for basic Christian education: that of the sermon. Think of the number of sermons that you hear over the course of months or even a year. How often are the same essential points repeated again and again and again. And again. How often do our hymns or praise songs repeat the same words over and over again? And I think that, if you are fair, you will note that Christians do have their own catchphrases, just the same as does advertising. Can I get an "Amen"?
At the training or specialist level, one would normally think of seminaries, and those institutions that prepare one for Christian leadership positions. This kind of training would include both Biblical and systematic theology, probably at least one of the two biblical languages, training in pastoral care, and training in some form of public speaking. I have, perhaps cavalierly, skipped over pastoral care without providing much detail. Probably candidates for the ministry should be subjected to pastoral care themselves. Some courses in psychology and psychological counseling would probably not go amiss. This does seem to be an area where ministers seem to have a bit of a weakness. I have noticed over the years that ministers in a great many churches are chosen on the basis of their performance capabilities rather than their ability to counsel the individual.
There is an immediate problem in considering the training level in the Christian life, particularly in regard to ministerial or clerical training. A factor which does not normally arise in the business or security world is that, in the Christian world, it is considered important and even vital that there be a "calling" to the position of minister, supported by spiritual gifts. This does not mean that education does not play a role in the Christian life, even in clerical training. Spiritual gifts are important, and a calling is vital. The calling and gifts can be supported, shaped, and possibly even augmented by mere human training.
And we come to the professional level of the Christian life. Even putting it that way, with that wording, sends shivers down my spine. Normally, one would think that this is the province of seminary faculty, the bishops and archbishops of the major denominations, the writers in theology and philosophy, but it also has to contain people like televangelists, whose primary skill often seems to be that of self-promotion. For seminary faculty, of course, it is easy to see that we should require studies of all forms of theology and philosophy as well, as well as working knowledge of higher criticism and a fairly substantial command of the language, even beyond Hebrew and Greek. (I have, myself, a slightly more than working knowledge of higher criticism, given that I have studied stylistic and linguistic forensics as a background to software forensics.) But then we come to the leadership in denominational structures, where management, and particularly business management, would take some precedence. As previously noted, there are a number of people who are attached to, and even important to, the Christian life, who we sometimes wish were not. Televangelists and certain authors may significantly contribute to the Christian life, overall. But very often these people do not have much in the way of professional qualifications at all. They don't have specialized knowledge, and sometimes, it has to be admitted, they are simply in it for themselves.
Do we need to expand our view of Christian education at the awareness level? Do we, as Christians, need to pursue more deeply education and training related to the Christian message and life? Are we too timid in our view that, if we know the four spiritual laws, we have enough basic knowledge? Have we taken to heart too much the idea that we must come as little children, and so not question and not learn and not pursue education with respect to the Christian life? Is it possible that we are putting too much emphasis on revelation and spiritual gifts, and not enough on our, admittedly fallible, efforts at education in this fallen world?
Regent college, and the Laing family, provide the Laing lectures as a series of public lectures. These lectures bring celebrated philosophical and theological leaders to present their ideas to the general public. The lectures are available without charge to any who wish to attend. In addition the lectures are now available online, to any who wish to attend online. I recently attended this year's Laing lectures, and was somewhat disturbed to notice the fact that, while there were a large number of people in attendance at the college itself, there were definitely empty seats. I also noted that I was one of thirty people waiting on line for the online version of the lectures to start. Given the eminence of those who are chosen to present the Laing lectures, it seems that this is a disturbingly small population who take the opportunity to learn extremely interesting topics related to Christianity and the Christian life. I doubt that this is a failure on the part of Regent to advertise and promote the lecture series. Rather, it demonstrates a disturbing lack of interest in further Christian education on the part of my fellow Christians.
Theological Lessons from Information Security
Sermon - TLIS - 0.1.1 - Security is a hindrance with no benefit
Sermon - TLIS - 0.2 / 47 - Integrity/Robert Slade is a world renowned speaker
Sermon - TLIS - 0.7.3 - Four right answers on CISSP questions
Sermon - TLIS - 1.1.3 - Functional and Assurance Requirements
Sermon TLIS - 1.1.5 - "Footprints" and key performance indicators/metrics
Sermon - TLIS - 1.1.7 - Security Frameworks
Sermon - TLIS - 1.2.1 / 34 - Edit, Audit, Prophet
Sermon - TLIS - 1.5.1 - Manage Everything
Sermon - TLIS - 1.7.1 - Organizational Roles and Body Parts
Sermon - TLIS - 9.8.5 / 73 - Muster station, safe and secure
Sermon - TLIS - 10.3.1 - Intellectual Property
Sermon - TLIS - 10.5.1 - Privacy
Sermon TLIS - 10.6.1 / 54 - Liability and Negligence
No comments:
Post a Comment