Horizon Project

6.6 Instructional Sequences

In order to address the two different sets of performance objectives, we introduce two instructional sequences below, targeted at two different audiences. The first sequence is dedicated to select IT specialists (10—100), while the second one concerns a very large group (50,000–100,000) including all employees and volunteers part of the organization.

The first sequence is planned for a typical learning period of 5 weeks, while the second sequence is expected to span several years.

None of these two learning sequences may require the specific development of e-learning modules. Depending on the number of IT specialists to train, the first sequence may be taught from peer to peer, with the support of reference cards and job aids. The second sequence may be supported by a tool distributing the test phishing and associated learning contents, provided by a third-party vendor, probably completed with customized printable materials.

Module 1: How to Prevent Access to Sensitive Information of Donors

1–2 hours per week over 5 weeks.

Week 1: What is PII?

what is not PII
how PII identifies individuals
the gray areas: what becomes PII when cross-referenced

Week 2: Keeping Payments Confidential

the role of payment processors
PCI compliance
How not to store payment details
Legal obligations with regards to financial records

Week 3: Workshop with Invited Speaker

1 hour of workshop with a guest, e.g. a data analyst from the military or an IT specialist from another NGO, sharing tips and experience against digital threats.

45 minutes of interview followed with 15 minutes of questions from the audience.

Week 4: Managing Access to Files and Databases

granting and revoking access to files
granting and revoking access to databases
creating partial views of tables

Week 5: Masking and Aggregating Data

how aggregating data can make sensitive data anonymous
and when it doesn’t
how to replace sensitive information with fake equivalents

Module 2: Gone Phishing

Each learner will receive 1 email every 5 to 10 days, at random intervals. The roll-out will be progressive starting with a few hundred learners, including all the learning champions in the first month, and adding several thousand employees and volunteers each month. The progress of each learner will be tracked individually to adjust the level of the challenges accordingly, across the 3 levels of difficulty.

Level 1: Each email contains several obvious signs of scam

phishing for credentials through visibly fake URL
phishing through attached executable program
obvious scam scheme requesting an urgent payment from the learner

Level 2: Each email contains only one obvious sign of scam

phishing for credentials through masked URL
phishing through attached spreadsheet with macros
scam scheme requesting an urgent payment to a unknown organization, from a known contact but sent from a free email provider

Level 3: Each email is suspicious without any obvious sign of scam

phishing for credentials through a page which loads a login page only once hidden
phishing through an email pretending to contain instructions from Horizon IT to download a zip archive and install a new program on the computer
scam scheme requesting a list of donor emails for fundraising purpose, sent from the email address of an existing employee

Contents

6.6 Instructional Sequences