You Can Stop Stupid - Stopping Losses From Accidental and Malicious Actions

Ulteriori informazioni

Stopping Losses from Accidental and Malicious Actions
 
Around the world, users cost organizations billions of dollars due to simple errors and malicious actions. They believe that there is some deficiency in the users. In response, organizations believe that they have to improve their awareness efforts and making more secure users. This is like saying that coalmines should get healthier canaries. The reality is that it takes a multilayered approach that acknowledges that users will inevitably make mistakes or have malicious intent, and the failure is in not planning for that. It takes a holistic approach to assessing risk combined with technical defenses and countermeasures layered with a security culture and continuous improvement. Only with this kind of defense in depth can organizations hope to prevent the worst of the cybersecurity breaches and other user-initiated losses.
Using lessons from tested and proven disciplines like military kill-chain analysis, counterterrorism analysis, industrial safety programs, and more, Ira Winkler and Dr. Tracy Celaya's You CAN Stop Stupid provides a methodology to analyze potential losses and determine appropriate countermeasures to implement.
* Minimize business losses associated with user failings
* Proactively plan to prevent and mitigate data breaches
* Optimize your security spending
* Cost justify your security and loss reduction efforts
* Improve your organization's culture
 
Business technology and security professionals will benefit from the information provided by these two well-known and influential cybersecurity speakers and experts.

Sommario

Forword xiii
 
Introduction xxvii
 
I Stopping Stupid is Your Job 1
 
1 Failure: The Most Common Option 3
 
History is Not on the Users' Side 4
 
Today's Common Approach 6
 
Operational and Security Awareness 6
 
Technology 7
 
Governance 8
 
We Propose a Strategy, Not Tactics 9
 
2 Users Are Part of the System 11
 
Understanding Users' Role in the System 11
 
Users Aren't Perfect 13
 
"Users" Refers to Anyone in Any Function 13
 
Malice is an Option 14
 
What You Should Expect from Users 15
 
3 What is User-Initiated Loss? 17
 
Processes 18
 
Culture 20
 
Physical Losses 22
 
Crime 24
 
User Malice 25
 
Social Engineering 27
 
User Error 28
 
Inadequate Training 29
 
Technology Implementation 30
 
Design and Maintenance 31
 
User Enablement 32
 
Shadow IT 33
 
Confusing Interfaces 35
 
UIL is Pervasive 35
 
II Foundational Concepts 37
 
4 Risk Management 39
 
Death by 1,000 Cuts 40
 
The Risk Equation 41
 
Value 43
 
Threats 47
 
Vulnerabilities 48
 
Countermeasures 54
 
Risk Optimization 60
 
Risk and User-Initiated Loss 63
 
5 The Problems with Awareness Efforts 65
 
Awareness Programs Can Be Extremely Valuable 65
 
Check-the-Box Mentality 66
 
Training vs Awareness 68
 
The Compliance Budget 68
 
Shoulds vs Musts 70
 
When It's Okay to Blame the User 72
 
Awareness Programs Do Not Always Translate into Practice 74
 
Structural Failings of Awareness Programs 75
 
Further Considerations 77
 
6 Protection, Detection, and Reaction 79
 
Conceptual Overview 80
 
Protection 81
 
Detection 82
 
Reaction 84
 
Mitigating a Loss in Progress 86
 
Mitigating Future Incidents 87
 
Putting It All Together 88
 
7 Lessons from Safety Science 89
 
The Limitations of Old-School Safety Science 91
 
Most UIL Prevention Programs Are Old-School 93
 
The New School of Safety Science 94
 
Putting Safety Science to Use 96
 
Safety Culture 97
 
The Need to Not Remove All Errors 98
 
When to Blame Users 100
 
We Need to Learn from Safety Science 100
 
8 Applied Behavioral Science 103
 
The ABCs of Behavioral Science 105
 
Antecedents 106
 
Behaviors 111
 
Consequences 112
 
Engineering Behavior vs Influencing Behavior 120
 
9 Security Culture and Behavior 123
 
ABCs of Culture 125
 
Types of Cultures 127
 
Subcultures 130
 
What is Your Culture? 132
 
Improving Culture 133
 
Determining a Finite Set of Behaviors to Improve 134
 
Behavioral Change Strategies 135
 
Traditional Project Management 137
 
Change Management 137
 
Is Culture Your Ally? 138
 
10 User Metrics 141
 
The Importance of Metrics 141
 
The Hidden Cost of Awareness 142
 
Types of Awareness Metrics 143
 
Compliance Metrics 144
 
Engagement Metrics 145
 
Behavioral Improvement 147
 
Tangible ROI 149
 
Intangible Benefits 149
 
Day 0 Metrics 150
 
Deserve More 151
 
11 The Kill Chain 153
 
Kill Chain Principles 154
 
The Military Kill Chain 154
 
The Cyber Kill Chain and Defense in Depth 155
 
Deconstructing

Info autore

Ira Winkler, CISSP, is President of Secure Mentem and is widely viewed as one of the world's most influential security professionals. Ira is the recipient of several prestigious industry awards, including being named "The Awareness Crusader" by CSO magazine in receiving their CSO COMPASS Award. Dr. Tracy Celaya Brown, CISSP, is President of Go Consulting International. She is a sought-after consultant in IT Security Program Management, Organizational Development, and Change Management.

Riassunto

Stopping Losses from Accidental and Malicious Actions

Around the world, users cost organizations billions of dollars due to simple errors and malicious actions. They believe that there is some deficiency in the users. In response, organizations believe that they have to improve their awareness efforts and making more secure users. This is like saying that coalmines should get healthier canaries. The reality is that it takes a multilayered approach that acknowledges that users will inevitably make mistakes or have malicious intent, and the failure is in not planning for that. It takes a holistic approach to assessing risk combined with technical defenses and countermeasures layered with a security culture and continuous improvement. Only with this kind of defense in depth can organizations hope to prevent the worst of the cybersecurity breaches and other user-initiated losses.
Using lessons from tested and proven disciplines like military kill-chain analysis, counterterrorism analysis, industrial safety programs, and more, Ira Winkler and Dr. Tracy Celaya's You CAN Stop Stupid provides a methodology to analyze potential losses and determine appropriate countermeasures to implement.
* Minimize business losses associated with user failings
* Proactively plan to prevent and mitigate data breaches
* Optimize your security spending
* Cost justify your security and loss reduction efforts
* Improve your organization's culture

Business technology and security professionals will benefit from the information provided by these two well-known and influential cybersecurity speakers and experts.