Security Culture Playbook - An Executive Guide to Reducing Risk Developing Your Human Defense

En savoir plus

Mitigate human risk and bake security into your organization's culture from top to bottom with insights from leading experts in security awareness, behavior, and culture.
 
The topic of security culture is mysterious and confusing to most leaders. But it doesn't have to be. In The Security Culture Playbook, Perry Carpenter and Kai Roer, two veteran cybersecurity strategists deliver experience-driven, actionable insights into how to transform your organization's security culture and reduce human risk at every level. This book exposes the gaps between how organizations have traditionally approached human risk and it provides security and business executives with the necessary information and tools needed to understand, measure, and improve facets of security culture across the organization.
 
The book offers:
* An expose of what security culture really is and how it can be measured
* A careful exploration of the 7 dimensions that comprise security culture
* Practical tools for managing your security culture program, such as the Security Culture Framework and the Security Culture Maturity Model
* Insights into building support within the executive team and Board of Directors for your culture management program
 
Also including several revealing interviews from security culture thought leaders in a variety of industries, The Security Culture Playbook is an essential resource for cybersecurity professionals, risk and compliance managers, executives, board members, and other business leaders seeking to proactively manage and reduce risk.

Table des matières

About the Authors viii
 
Acknowledgments xii
 
Introduction xxv
 
Part I: Foundation 1
 
Chapter 1: You Are Here 3
 
Why All the Buzz? 4
 
What Is Security Culture, Anyway? 8
 
A Problem of Definition 9
 
A Problem of Overconfidence 11
 
Takeaways 12
 
Chapter 2: Up-leveling the Conversation: Security Culture Is a Board-level Concern 13
 
A View from the Top 14
 
Telling the Human Side of the Story 15
 
What's the Cost of Not Getting This Right? 16
 
Cybercriminals Are Doubling Down on Their Attacks Against Your Employees 19
 
Your People and Security Culture Are at the Center of Everything 20
 
The Implication 22
 
Getting It Right 24
 
Takeaways 25
 
Chapter 3: The Foundations of Transformation 27
 
The Core Thesis 29
 
The Knowledge-Intention-Behavior Gap 29
 
Three Realities of Security Awareness 31
 
Program Focus 31
 
Extending the Discussion 33
 
Introducing the Security Culture Maturity Model 33
 
The Security Culture Maturity Model in Brief 35
 
The S-Curves 36
 
The Value of the Security Culture Maturity Model 37
 
You Are Always Either Building Strength or Allowing Atrophy 37
 
Takeaways 38
 
Part II: Exploration 39
 
Chapter 4: Just What Is Security Culture, Anyway? 41
 
Lessons from Safety Culture 42
 
A Jumble of Terms 44
 
Information Security Culture 45
 
IT Security Culture 45
 
Cybersecurity Culture 46
 
Security Culture in the Modern Day 46
 
Technology Focus 47
 
Compliance Focus 48
 
Human-Reality Focus 49
 
Takeaways 51
 
Chapter 5: Critical Concepts from the Social Sciences 53
 
What's the Real Goal--Awareness, Behavior, or Culture? 54
 
Coming to Terms with Our Irrational Nature 55
 
We Are Lazy 56
 
Why Don't We Just Give Up? 60
 
Security Culture--A Part of Organizational Culture 61
 
Takeaways 62
 
Chapter 6: The Components of Security Culture 63
 
A Problem of Definition 64
 
The Academic Perspective 64
 
The Practitioner Perspective 65
 
Defining Security Culture 66
 
Security Culture as Dimensions 67
 
The Seven Dimensions of Security Culture 69
 
Attitudes 69
 
Behaviors 69
 
Cognition 69
 
Communication 70
 
Compliance 70
 
Norms 70
 
Responsibilities 71
 
The Security Culture Survey 71
 
Example Findings from Measuring the Seven Dimensions 72
 
Normalized Use of Unauthorized Services 73
 
Confidentiality and Insider Threats 74
 
Last Thought 74
 
Takeaways 75
 
Chapter 7: Interviews with Organizational Culture Experts and Academics 77
 
John R. Childress, PYXIS Culture Technologies Limited 78
 
Why Is Culture Important? 78
 
Why Do You Find Culture Interesting? 79
 
Is There a Specific Definition of Culture That You Find Useful? 79
 
What Actions Can Be Taken to Direct Cultural Change? 80
 
Is There a Success or Horror Story You'd Like to Share Related to Culture Change? 81
 
How Does a Culture Evolve (or How Often?) 82
 
Professor John McAlaney, Bournemouth University, UK 82
 
Why Is Culture Important? 83
 
Why Do You Find Culture Interesting? 83
 
Is There a Specific Definition of Culture That You Find Useful? 83
 
What Actions Can Be Taken to Direct Cultural Change? 84
 
Is There a Success or Hor

A propos de l'auteur

PERRY CARPENTER, C|CISO, MSIA, is an author, podcaster, thought leader, and cybersecurity expert specializing in security awareness and the human factors of security. His research focuses on marketing, communication, behavior science, organizational culture management, sociology, and more. KAI ROER is the author of several books on security and leadership, a keynote speaker, and a thought leader in the security culture field. In addition to his research, he is an entrepreneur and the inventor of technology and frameworks that transformed the information security industry.

Résumé

Mitigate human risk and bake security into your organization's culture from top to bottom with insights from leading experts in security awareness, behavior, and culture.

The topic of security culture is mysterious and confusing to most leaders. But it doesn't have to be. In The Security Culture Playbook, Perry Carpenter and Kai Roer, two veteran cybersecurity strategists deliver experience-driven, actionable insights into how to transform your organization's security culture and reduce human risk at every level. This book exposes the gaps between how organizations have traditionally approached human risk and it provides security and business executives with the necessary information and tools needed to understand, measure, and improve facets of security culture across the organization.

The book offers:
* An expose of what security culture really is and how it can be measured
* A careful exploration of the 7 dimensions that comprise security culture
* Practical tools for managing your security culture program, such as the Security Culture Framework and the Security Culture Maturity Model
* Insights into building support within the executive team and Board of Directors for your culture management program

Also including several revealing interviews from security culture thought leaders in a variety of industries, The Security Culture Playbook is an essential resource for cybersecurity professionals, risk and compliance managers, executives, board members, and other business leaders seeking to proactively manage and reduce risk.