Security Awareness for Busy People

I am taking the wraps off of my first product ever: Security Awareness for Busy People. Those who know me know that I'm not the type of person to shout my accolades from the rooftops, so this is a bit out of my comfort zone right now. Regardless, I'm proud of my work and I want to share this with the world.

Background

As I mentioned, this is my first product ever. Throughout my career I have helped other companies build software, maintain secure systems, or train their employees to be better developers/operators/administrators. I have done this as both a full-time employee and as a consultant. I always have these ideas to create products and yet never deliver on them for a couple reasons:

  1. I convince myself that the ideas are dumb.
  2. I convince myself that nobody would care/buy/use my ideas.
  3. I never have enough time carved out for personal projects.

As a result, I usually give up and end up feeling ashamed for not being creative enough. But not this time. I pushed through all those negative thoughts and kept thinking of how people of all walks of life can benefit from the type of training that I used to provide as Head of Security at Unbounce. This training is taken from the hour-long security orientation I would provide to new hires, plus all the adhoc advice that I provided to people as they went through their lives, both at home and at work. It's like how when someone knows you work with computers, they ask you lots of computer questions… when you work in information security, suddenly you get asked all these questions about jargon, data breaches, "Am I safe?", etc. Another aspect of my job was to find security awareness training for the company, and they all suffer from the same things:

  • Boring: Either the way the topics are presented or the presenter themselves, each video made me want to go to sleep. 😴
  • Short: The training lasts 1-4 hours and then somehow you are supposed to be protected throughout the year. 🀷
  • Narrow Focus: They are only concerned with workplace security. Yet people need to feel safe 24 hours a day, especially when they take their work laptops home. πŸ”
  • Disruptive: They require logging in or watching videos. Nobody wants yet another login, and nobody chooses to stop their regular work so that they can sit for hours in front of a computer to watch a training video. ⏱

So I decided to do something about it. I put these things that I learned into making a course that is both respectful of people's busy schedules and also comprehensive enough to protect people at home and at work. I also wanted to ensure that, from the start, the course is inclusive of anyone, regardless of disability, age, skill level, or what have you. And yes, there is a glaring error here in that the course is only offered in English, but this is the only (verbal) language I speak so I can't very well provide this for everyone around the world. If that situation changes, I'm definitely translating it right away.

Aside from the accomplishment of releasing a product by myself, I am also happy to announce that I'm now a published author. I was able to obtain an ISBN number (978-1-7770426-0-8) for this course which feels like a great accomplishment. I thought it would be a difficult task to complete but, as it turns out, it's super simple β€” at least in Canada β€” and with a 2-day turnaround.

Philosophy

The entire course is served through a custom application I wrote. It's not complex at all, and should scale really well, though I'm not challenging anyone to test that out. I'll go into the trials and tribulations that I went through making the application β€” mostly dealing with my own hubris β€” in another post, but the application I created is simple and inexpensive to operate. But you might be wondering why I didn't just partner with one of the online course platforms out there. It would have been so much easier and less time-consuming to simply create the audio and transcript files, then upload it to a platform provider. There are two reasons I chose to host it myself:

  1. None of them provided such a simple way of emailing course materials to students: I did some comparison shopping of the online course platform providers, and they all wanted students to login to see the courses. This went against my ease of use for students, since I know from experience that people don't want to do that, nor is some grandparent going to figure it out. It's funny too, because I recently went to a job interview at Thinkific (an online course platform provider) and I mentioned how my idea is unique, and the CTO looked at his senior developer with such a "that's a really good idea!" kind of look. πŸ€” ➑ :mind-blown: ➑ 😍
  2. I want to own my platform: I subscribe to a philosophy that, as far as I can tell with 5 seconds of research, was coined by Zed Shaw called own your platform. The premise boils down to ensuring that whatever service you are providing cannot be usurped by a service provider for any reason. Now, we all have to trust someone, and I've chosen to use Stripe (for payment processing) and AWS/Heroku (for Web hosting) but these providers can be swapped out for others should the need arise. And that need could be as simple as high fees or outages, but as complex as secretly adding tracking pixels to emails and web pages. When I own my platform, it means that I am ensuring that my customers and students have the highest level of privacy and security, but provided at the lowest possible costs (whether those costs are money or data collection).

Curriculum

The course itself is composed of 52 lessons, one for each week of the year. This means a student receives an entire year of security awareness training. Each week presents a different topic, be it general security, information security, financial security, computer security or physical security. Now, it might seem odd that one can learn security awareness over an entire year with just 5 minutes of training, but this is exactly how school teachers teach advanced topics. They start simple and continue talking about similar topics for a long time, because just the mention of a similar topic reinforces the topics previously provided.

The goal of the course is not to turn students into uber elite hackers, since that won't help anyone feel secure. Neither is the goal to teach students a particular tool or vendor, since these change all the time. Rather, what I'm teaching in this course is an understanding of how information security professionals approach situations to identify the threats and risks, then work to build out a plan tailored for an individual's need to feel secure. Sure, I could just tell people a bunch of jargon, but if the jargon isn't understood, then the lesson won't be absorbed. So I demystify the security jargon and provide people with a different approach to being secure, which is to look at situations with a different lens and then figure out how they would like to feel safer. But it all has to be done in 5-minute increments so that I hold their attention and not disrupt their life.

Pricing

I priced the course at $52, which works out to be $1 per lesson. I think that strikes a fair balance between my effort expended, the infrastructure costs, and what people are willing to pay as both consumers and professionals. In my experience, when employers pay for training everything is great (financially-speaking), but when one has to pay for it themselves, the wallet tends to close a bit.

The course isn't free because I know that people are finally starting to see that free things aren't always free; in fact, free services have been shown to collect your personal information and then sell it β€” making you the product that's being sold. Instead, I am charging a nominal fee for this course and collecting as little information as possible to provide you with training. I spell it out on the website, but I'll also state it here. I collect only this information:

  • For processing credit cards: billing name, billing address, credit card details (not accessible by me)
  • For providing course materials: name, email

See how little information one needs to provide a service? I don't know much about you and, to be honest, I don't care to store your data. It's a risk for me and it's a risk for you, so I figure that I will follow my own principles and collect as little of your information as possible. When I process a credit card, I need to know more information about you to prevent fraud and to calculate applicable taxes, but this data is stored in Stripe (my payment processor of choice) and never used by me. The rest of the data for providing you with course materials is stored in my system but the data doesn't necessarily need to be personal. Your name can be anything you want, I just want to call you something other than "Human". Your email is, well, a vital requirement of sending course materials to your email inbox. 🀣

How it Works

Each lesson that is emailed to you contains two email attachments: an MP3 file and a PDF transcript. The point of the course is that it is easy for people to both attend the lesson and absorb the information. In that vein, clicking a 5-minute long audio attachment and listening to it on, say, your phone is about as easy as it gets. And yes, I do see the irony in a security awareness course asking people to open email attachments. Some people prefer to read rather than listen, or maybe an accessibility issue forces them to do so, so for those people I provide a PDF transcript. It has the same lesson, but in written form and without you needing to listen to my dulcet tones. The transcript can also be beneficial for those that listen to the audio file, because it is enriched with links to learn more about the topic or jargon that I use in the lesson. Since I need to keep each lesson within 5 minutes, I have to keep the lessons dense but still compelling, and rely on linking to places like Wikipedia where people can learn more if they are interested.


So that's it. The project is done and released to production. πŸŽ‰ I… am a bit nervous at its reception or, frankly, if anyone will buy the course. But it's out there, I completed it, and that's the main point.

The course is available to be purchased for yourself, for someone else, or for a group of people. Please consider purchasing the course and making yourself and those around you safer.

Oh and, before you go, I am looking at providing this security awareness training in another format for those that are familiar with the traditional method of training and want material that is more in depth than can be learned in 5-minute increments. Stay tuned for product #2.