| 000 -LEADER |
|---|
| fixed length control field |
11096nam a22003735i 4500 |
| 005 - DATE AND TIME OF LATEST TRANSACTION |
|---|
| control field |
20230911103931.0 |
| 008 - FIXED-LENGTH DATA ELEMENTS--GENERAL INFORMATION |
|---|
| fixed length control field |
191210s2020 inu 000 0 eng |
| 010 ## - LIBRARY OF CONGRESS CONTROL NUMBER |
|---|
| LC control number |
2019956718 |
| 020 ## - INTERNATIONAL STANDARD BOOK NUMBER |
|---|
| International Standard Book Number |
9781119621980 |
| Qualifying information |
(paperback) |
| 020 ## - INTERNATIONAL STANDARD BOOK NUMBER |
|---|
| Cancelled/invalid ISBN |
9781119622062 |
| Qualifying information |
(adobe pdf) |
| 020 ## - INTERNATIONAL STANDARD BOOK NUMBER |
|---|
| Cancelled/invalid ISBN |
9781119622048 |
| Qualifying information |
(epub) |
| 020 ## - INTERNATIONAL STANDARD BOOK NUMBER |
|---|
| Cancelled/invalid ISBN |
9781119623946 |
| 041 ## - LANGUAGE CODE |
|---|
| Language code of text/sound track or separate title |
eng. |
| 042 ## - AUTHENTICATION CODE |
|---|
| Authentication code |
pcc |
| 100 1# - MAIN ENTRY--PERSONAL NAME |
|---|
| Preferred name for the person |
Winkler, Ira, |
| Relator term |
author. |
| 245 10 - TITLE STATEMENT |
|---|
| Title |
You can stop stupid : |
| Remainder of title |
stopping losses from accidental and malicious actions / |
| Statement of responsibility, etc |
Ira Winkler. |
| 250 ## - EDITION STATEMENT |
|---|
| Edition statement |
1. |
| 263 ## - PROJECTED PUBLICATION DATE |
|---|
| Projected publication date |
2005 |
| 264 #1 - PUBLICATION, DISTRIBUTION, ETC. (IMPRINT) |
|---|
| Place of publication, distribution, etc |
Indianapolis : |
| Name of publisher, distributor, etc |
John Wiley and Sons, |
| Date of publication, distribution, etc |
2020. |
| 300 ## - PHYSICAL DESCRIPTION |
|---|
| Extent |
1 online resource |
| 336 ## - CONTENT TYPE |
|---|
| Content type term |
text |
| Content type code |
txt |
| Source |
rdacontent |
| 337 ## - MEDIA TYPE |
|---|
| Media type term |
computer |
| Media type code |
c |
| Source |
rdamedia |
| 338 ## - CARRIER TYPE |
|---|
| Carrier type term |
online resource |
| Carrier type code |
cr |
| Source |
rdacarrier |
| 500 ## - GENERAL NOTE |
|---|
| General note |
Includes index. |
| 500 ## - GENERAL NOTE |
|---|
| General note |
Ira Winkler, CISSP, is President of Secure Mentem and is widely viewed as one of the world's most influential security professionals. Ira is the recipient of several prestigious industry awards, including being named "The Awareness Crusader" by CSO magazine in receiving their CSO COMPASS Award. Dr. Tracy Celaya Brown, CISSP, is President of Go Consulting International. She is a sought-after consultant in IT Security Program Management, Organizational Development, and Change Management. |
| 505 0# - CONTENTS |
|---|
| Formatted contents note |
<br/>Table of contents<br/><br/>Forword xiii<br/><br/>Introduction xxvii<br/><br/>I Stopping Stupid is Your Job 1<br/><br/>1 Failure: The Most Common Option 3<br/><br/>History is Not on the Users’ Side 4<br/><br/>Today’s Common Approach 6<br/><br/>Operational and Security Awareness 6<br/><br/>Technology 7<br/><br/>Governance 8<br/><br/>We Propose a Strategy, Not Tactics 9<br/><br/>2 Users Are Part of the System 11<br/><br/>Understanding Users’ Role in the System 11<br/><br/>Users Aren’t Perfect 13<br/><br/>“Users” Refers to Anyone in Any Function 13<br/><br/>Malice is an Option 14<br/><br/>What You Should Expect from Users 15<br/><br/>3 What is User-Initiated Loss? 17<br/><br/>Processes 18<br/><br/>Culture 20<br/><br/>Physical Losses 22<br/><br/>Crime 24<br/><br/>User Malice 25<br/><br/>Social Engineering 27<br/><br/>User Error 28<br/><br/>Inadequate Training 29<br/><br/>Technology Implementation 30<br/><br/>Design and Maintenance 31<br/><br/>User Enablement 32<br/><br/>Shadow IT 33<br/><br/>Confusing Interfaces 35<br/><br/>UIL is Pervasive 35<br/><br/>II Foundational Concepts 37<br/><br/>4 Risk Management 39<br/><br/>Death by 1,000 Cuts 40<br/><br/>The Risk Equation 41<br/><br/>Value 43<br/><br/>Threats 47<br/><br/>Vulnerabilities 48<br/><br/>Countermeasures 54<br/><br/>Risk Optimization 60<br/><br/>Risk and User-Initiated Loss 63<br/><br/>5 The Problems with Awareness Efforts 65<br/><br/>Awareness Programs Can Be Extremely Valuable 65<br/><br/>Check-the-Box Mentality 66<br/><br/>Training vs Awareness 68<br/><br/>The Compliance Budget 68<br/><br/>Shoulds vs Musts 70<br/><br/>When It’s Okay to Blame the User 72<br/><br/>Awareness Programs Do Not Always Translate into Practice 74<br/><br/>Structural Failings of Awareness Programs 75<br/><br/>Further Considerations 77<br/><br/>6 Protection, Detection, and Reaction 79<br/><br/>Conceptual Overview 80<br/><br/>Protection 81<br/><br/>Detection 82<br/><br/>Reaction 84<br/><br/>Mitigating a Loss in Progress 86<br/><br/>Mitigating Future Incidents 87<br/><br/>Putting It All Together 88<br/><br/>7 Lessons from Safety Science 89<br/><br/>The Limitations of Old-School Safety Science 91<br/><br/>Most UIL Prevention Programs Are Old-School 93<br/><br/>The New School of Safety Science 94<br/><br/>Putting Safety Science to Use 96<br/><br/>Safety Culture 97<br/><br/>The Need to Not Remove All Errors 98<br/><br/>When to Blame Users 100<br/><br/>We Need to Learn from Safety Science 100<br/><br/>8 Applied Behavioral Science 103<br/><br/>The ABCs of Behavioral Science 105<br/><br/>Antecedents 106<br/><br/>Behaviors 111<br/><br/>Consequences 112<br/><br/>Engineering Behavior vs Influencing Behavior 120<br/><br/>9 Security Culture and Behavior 123<br/><br/>ABCs of Culture 125<br/><br/>Types of Cultures 127<br/><br/>Subcultures 130<br/><br/>What is Your Culture? 132<br/><br/>Improving Culture 133<br/><br/>Determining a Finite Set of Behaviors to Improve 134<br/><br/>Behavioral Change Strategies 135<br/><br/>Traditional Project Management 137<br/><br/>Change Management 137<br/><br/>Is Culture Your Ally? 138<br/><br/>10 User Metrics 141<br/><br/>The Importance of Metrics 141<br/><br/>The Hidden Cost of Awareness 142<br/><br/>Types of Awareness Metrics 143<br/><br/>Compliance Metrics 144<br/><br/>Engagement Metrics 145<br/><br/>Behavioral Improvement 147<br/><br/>Tangible ROI 149<br/><br/>Intangible Benefits 149<br/><br/>Day 0 Metrics 150<br/><br/>Deserve More 151<br/><br/>11 The Kill Chain 153<br/><br/>Kill Chain Principles 154<br/><br/>The Military Kill Chain 154<br/><br/>The Cyber Kill Chain and Defense in Depth 155<br/><br/>Deconstructing the Cyber Kill Chain 157<br/><br/>Phishing Kill Chain Example 159<br/><br/>Other Models and Frameworks 162<br/><br/>Applying Kill Chains to UIL 164<br/><br/>12 Total Quality Management Revisited 167<br/><br/>TQM: In Search of Excellence 168<br/><br/>Exponential Increase in Errors 169<br/><br/>Principles of TQM 171<br/><br/>What Makes TQM Fail? 172<br/><br/>Other Frameworks 174<br/><br/>Product Improvement and Management 177<br/><br/>Kill Chain for Process Improvement 178<br/><br/>COVID-19 Remote Workforce Process Activated 178<br/><br/>Applying Quality Principles 179<br/><br/>III Counter measures 181<br/><br/>13 Governance 183<br/><br/>Defining the Scope of Governance for Our Purposes 184<br/><br/>Operational Security or Loss Mitigation 185<br/><br/>Physical Security 186<br/><br/>Personnel Security 186<br/><br/>Traditional Governance 187<br/><br/>Policies, Procedures, and Guidelines 188<br/><br/>In the Workplace 190<br/><br/>Security and the Business 191<br/><br/>Analyzing Processes 192<br/><br/>Grandma’s House 194<br/><br/>14 Technical Countermeasures 197<br/><br/>Personnel Countermeasures 199<br/><br/>Background Checks 200<br/><br/>Continuous Monitoring 201<br/><br/>Employee Management Systems 201<br/><br/>Misuse and Abuse Detection 202<br/><br/>Data Leak Prevention 203<br/><br/>Physical Countermeasures 203<br/><br/>Access Control Systems 203<br/><br/>Surveillance and Safety Systems 204<br/><br/>Point-of-Sale Systems 206<br/><br/>Inventory Systems and Supply Chains 207<br/><br/>Computer Tracking Systems 207<br/><br/>Operational Countermeasures 208<br/><br/>Accounting Systems 209<br/><br/>Customer Relationship Management 210<br/><br/>Operational Technology 210<br/><br/>Workflow Management 211<br/><br/>Cybersecurity Countermeasures 212<br/><br/>The 20 CIS Controls and Resources 212<br/><br/>Anti-malware Software 213<br/><br/>Whitelisting 214<br/><br/>Firewalls 214<br/><br/>Intrusion Detection/Prevention Systems 215<br/><br/>Managed Security Services 215<br/><br/>Backups 215<br/><br/>Secure Configurations 216<br/><br/>Automated Patching 216<br/><br/>Vulnerability Management Tools 217<br/><br/>Behavioral Analytics 217<br/><br/>Data Leak Prevention 218<br/><br/>Web Content Filters/Application Firewalls 218<br/><br/>Wireless and Remote Security 219<br/><br/>Mobile Device Management 219<br/><br/>Multifactor Authentication 220<br/><br/>Single Sign-On 221<br/><br/>Encryption 221<br/><br/>Nothing is Perfect 223<br/><br/>Putting It All Together 223<br/><br/>15 Creating Effective Awareness Programs 225<br/><br/>What is Effective Awareness? 226<br/><br/>Governance as the Focus 227<br/><br/>Where Awareness Strategically Fits in the Organization 229<br/><br/>The Goal of Awareness Programs 230<br/><br/>Changing Culture 231<br/><br/>Defining Subcultures 232<br/><br/>Interdepartmental Cooperation 233<br/><br/>The Core of All Awareness Efforts 234<br/><br/>Process 235<br/><br/>Business Drivers 237<br/><br/>Culture and Communication Tools 238<br/><br/>Putting It Together 245<br/><br/>Metrics 246<br/><br/>Gamification 246<br/><br/>Gamification Criteria 247<br/><br/>Structuring Gamification 248<br/><br/>Gamification is Not for Everyone 248<br/><br/>Getting Management’s Support 249<br/><br/>Awareness Programs for Management 249<br/><br/>Demonstrate Clear Business Value 250<br/><br/>Enforcement 250<br/><br/>Experiment 251<br/><br/>IV Applying Boom 253<br/><br/>16 Start with Boom 255<br/><br/>What Are the Actions That Initiate UIL? 257<br/><br/>Start with a List 257<br/><br/>Order the List 258<br/><br/>Metrics 259<br/><br/>Governance 260<br/><br/>User Experience 261<br/><br/>Prevention and Detection 262<br/><br/>Awareness 263<br/><br/>Feeding the Cycle 263<br/><br/>Stopping Boom 264<br/><br/>17 Right of Boom 265<br/><br/>Repeat as Necessary 266<br/><br/>What Does Loss Initiation Look Like? 267<br/><br/>What Are the Potential Losses? 268<br/><br/>Preventing the Loss 272<br/><br/>Compiling Protective Countermeasures 273<br/><br/>Detecting the Loss 274<br/><br/>Before, During, and After 275<br/><br/>Mitigating the Loss 276<br/><br/>Determining Where to Mitigate 277<br/><br/>Avoiding Analysis Paralysis 278<br/><br/>Your Last Line of Defense 278<br/><br/>18 Preventing Boom 279<br/><br/>Why Are We Here? 280<br/><br/>Reverse Engineering 281<br/><br/>Governance 283<br/><br/>Awareness 284<br/><br/>Technology 285<br/><br/>Step-by-Step 287<br/><br/>19 Determining the Most Effective Countermeasures 289<br/><br/>Early Prevention vs Response 290<br/><br/>Start with Governance 292<br/><br/>Understand the Business Goal 293<br/><br/>Start Left of Boom 294<br/><br/>Consider Technology 295<br/><br/>Prioritize Potential Loss 296<br/><br/>Define Governance Thoroughly 297<br/><br/>Matrix Technical Countermeasures 299<br/><br/>Creating the Matrix 300<br/><br/>Define Awareness 301<br/><br/>It’s Just a Start 302<br/><br/>20 Implementation Considerations 303<br/><br/>You’ve Got Issues 304<br/><br/>Weak Strategy 304<br/><br/>Resources, Culture, and Implementation 305<br/><br/>Lack of Ownership and Accountability 307<br/><br/>One Effort at a Time 308<br/><br/>Change Management 308<br/><br/>Adopting Changes 309<br/><br/>Governance, Again 314<br/><br/>Business Case for a Human Security Officer 315<br/><br/>It Won’t Be Easy 316<br/><br/>21 If You Have Stupid Users, You Have a Stupid System 317<br/><br/>A User Should Never Surprise You 317<br/><br/>Perform Some More Research 318<br/><br/>Start Somewhere 319<br/><br/>Take Day Zero Metrics 320<br/><br/>UIL Mitigation is a Living Process 320<br/><br/>Grow from Success 321<br/><br/>The Users Are Your Canary in the Mine 322<br/><br/>Index 325<br/> |
| 520 ## - SUMMARY, ETC. |
|---|
| Summary, etc |
<br/><br/>Stopping Losses from Accidental and Malicious Actions<br/><br/>Around the world, users cost organizations billions of dollars due to simple errors and malicious actions. They believe that there is some deficiency in the users. In response, organizations believe that they have to improve their awareness efforts and making more secure users. This is like saying that coalmines should get healthier canaries. The reality is that it takes a multilayered approach that acknowledges that users will inevitably make mistakes or have malicious intent, and the failure is in not planning for that. It takes a holistic approach to assessing risk combined with technical defenses and countermeasures layered with a security culture and continuous improvement. Only with this kind of defense in depth can organizations hope to prevent the worst of the cybersecurity breaches and other user-initiated losses.<br/><br/>Using lessons from tested and proven disciplines like military kill-chain analysis, counterterrorism analysis, industrial safety programs, and more, Ira Winkler and Dr. Tracy Celaya's You CAN Stop Stupid provides a methodology to analyze potential losses and determine appropriate countermeasures to implement. <br/><br/> Minimize business losses associated with user failings<br/> Proactively plan to prevent and mitigate data breaches<br/> Optimize your security spending<br/> Cost justify your security and loss reduction efforts<br/> Improve your organization’s culture<br/><br/>Business technology and security professionals will benefit from the information provided by these two well-known and influential cybersecurity speakers and experts. |
| 655 #0 - INDEX TERM--GENRE/FORM |
|---|
| Genre/form data or focus term |
Electronic books. |
| 856 ## - ELECTRONIC LOCATION AND ACCESS |
|---|
| Uniform Resource Identifier |
https://onlinelibrary.wiley.com/doi/book/10.1002/9781119623946 |
| Link text |
Full text available at Wiley Online Library Click here to view. |
| 906 ## - LOCAL DATA ELEMENT F, LDF (RLIN) |
|---|
| a |
0 |
| b |
ibc |
| c |
orignew |
| d |
2 |
| e |
epcn |
| f |
20 |
| g |
y-gencatlg |
| 942 ## - ADDED ENTRY ELEMENTS |
|---|
| Source of classification or shelving scheme |
|
| Item type |
EBOOK |