Everyday, security professionals use acronyms to describe things in their jobs. We have acronyms for certifications (OSCP, CISSP, GSEC), compliance standards (NIST/FIPS, HIPAA, GDPR), and job titles (CEO, CISO, CTO). We use the acronyms to help us understand what others are talking about or referring to, and to make talking much easier too.
Many companies and consultants may have practices that they have turned into acronyms over the course of the years to make sure that employees are following a task to completion. What happens when you’re off the clock at home, and have to discuss something security related? We all know this happens…come home for the holiday and all of a sudden, you get to play family tech support!
The standards you follow at work will most likely not be 100% applicable to your situation at hand. Last time I checked, my grandfather wasn’t a Fortune 500 company that needed millions of dollars and hundreds of terabytes of information secured…just pictures of his dog and his fantasy sports stats. So how to you make sure that you’re able to keep his information safe and secure, without sounding like a security know-it-all OR giving a solution that may be too complex?
Introducing The D.U.C. Model. I developed this model with the assistance of my mentor. D.U.C. is an acronym that stands for the following: Discuss, Understand, Customize.
Discuss – talk with the person that came to you with the security issue and figure out fully what is going on.
For example: Did their machine become infected with malware because they clicked a phishing link? They have never ran a anti-malware scan in their life? They accidentally downloaded a bogus program?
Understand – try to understand why the situation occurred. Was it simply a mistake?
For Example: Do they not know how to identify phishing links? Do they not know anti-malware software exists? Were they lead astray by someone else trying to help?
Customize – depending on the person’s technical skill and ability to learn, how can you help fix their problem AND show them how to prevent it in the future.
For Example: After you remove the malware from their machine, show them how to prevent it in the future in ways they can understand! If they have the ability to spot phishing links, show them the signs of one. If they don’t know how to run an anti-malware scan, automatically set a monthly scan up for them. If they keep clicking on bad websites, put those sites on a blocklist or show them how to identify a safe website from a malicious one.
The D.U.C. Model is helpful, as it helps not only YOU determine how to fix a given problem, but it also helps make sure that you are able to give the person you are helping security solution they are able to stand-up and implement on their own. With either very minimal or no assistance after the initial set-up!
Over the next few months, I plan of giving hypothetical situations and showing you how the D.U.C. Model can assist you with helping you create these security solutions for your loved ones. Just follow the D.U.C. Model tags on my posts or this link to view my examples.