Ben Rothke wrote a cute tongue-in-cheek blog-like piece for Network World about using laughter as a security metric, referring to the gales of laughter from managers that occasionally greet our serious security project/funding requests and equating the degree of mirth with the manager's cluelessness. Unfortunately, even clued-up managers don't always take us seriously, especially in a funding crisis, but anyway, it's a nice idea Ben, if a somewhat negative or cynical metric.
Actually, it set me thinking about the value of laughter in security awareness and training activities. I would argue that laughter can also be a positive metric. Let me explain.
IT courses presented by geeks can be so boring for non-geeks while dead-pan "thou shall not" lectures from ernest managers or security professionals are mind-numbingly dull for any sentient being. I bet I'm not the only person who used to skip most of the Readers Digest looking for those "Laughter is the best medicine" pieces ... in other words, some (most?) of us appreciate humour and like having fun, so why not turn that to our advantage?
Here's a small illustration. I sometimes base security awareness case studies on stories from a neat little book called "Dear valued customer, you are a loser" by Rick Broadhead. The title concerns an incident where a marketing emailshot somehow went out with the subject line "You are a loser". That's just one of "over 100 embarrassing and funny stories of technology gone mad" says the book's subtitle. The point is that these are amusing short stories about technology-related blunders. It's not hard to make the link to security awareness topics from some of the incidents, so I use them (and similar ones from The Register and similar websites making fun of 419 scammers) to develop case study scenarios and questions for class discussion. Likewise, role-playing scenarios, puzzles, tongue-in-cheek quizzes and awareness posters, and humorous and/or controversial quotes are easy ways to inject a bit of energy into an otherwise flat, dull, lifeless security awareness program, and I'm sure you can appreciate the value of organizing live 'awareness activities' rather than simply delivering the entire security awareness message through the email and intranet/learning management system.
Laughter, then, can be both a negative and a positive security metric in different contexts.