Normal view MARC view ISBD view

You can stop stupid : stopping losses from accidental and malicious actions / Ira Winkler.

By: Winkler, Ira [author.]

Language: English Publisher: Indianapolis : John Wiley and Sons, 2020Edition: 1Description: 1 online resourceContent type: text Media type: computer Carrier type: online resourceISBN: 9781119621980Genre/Form: Electronic books.Online resources: Full text available at Wiley Online Library Click here to view.

Contents:

Table of contents Forword xiii Introduction xxvii I Stopping Stupid is Your Job 1 1 Failure: The Most Common Option 3 History is Not on the Users’ Side 4 Today’s Common Approach 6 Operational and Security Awareness 6 Technology 7 Governance 8 We Propose a Strategy, Not Tactics 9 2 Users Are Part of the System 11 Understanding Users’ Role in the System 11 Users Aren’t Perfect 13 “Users” Refers to Anyone in Any Function 13 Malice is an Option 14 What You Should Expect from Users 15 3 What is User-Initiated Loss? 17 Processes 18 Culture 20 Physical Losses 22 Crime 24 User Malice 25 Social Engineering 27 User Error 28 Inadequate Training 29 Technology Implementation 30 Design and Maintenance 31 User Enablement 32 Shadow IT 33 Confusing Interfaces 35 UIL is Pervasive 35 II Foundational Concepts 37 4 Risk Management 39 Death by 1,000 Cuts 40 The Risk Equation 41 Value 43 Threats 47 Vulnerabilities 48 Countermeasures 54 Risk Optimization 60 Risk and User-Initiated Loss 63 5 The Problems with Awareness Efforts 65 Awareness Programs Can Be Extremely Valuable 65 Check-the-Box Mentality 66 Training vs Awareness 68 The Compliance Budget 68 Shoulds vs Musts 70 When It’s Okay to Blame the User 72 Awareness Programs Do Not Always Translate into Practice 74 Structural Failings of Awareness Programs 75 Further Considerations 77 6 Protection, Detection, and Reaction 79 Conceptual Overview 80 Protection 81 Detection 82 Reaction 84 Mitigating a Loss in Progress 86 Mitigating Future Incidents 87 Putting It All Together 88 7 Lessons from Safety Science 89 The Limitations of Old-School Safety Science 91 Most UIL Prevention Programs Are Old-School 93 The New School of Safety Science 94 Putting Safety Science to Use 96 Safety Culture 97 The Need to Not Remove All Errors 98 When to Blame Users 100 We Need to Learn from Safety Science 100 8 Applied Behavioral Science 103 The ABCs of Behavioral Science 105 Antecedents 106 Behaviors 111 Consequences 112 Engineering Behavior vs Influencing Behavior 120 9 Security Culture and Behavior 123 ABCs of Culture 125 Types of Cultures 127 Subcultures 130 What is Your Culture? 132 Improving Culture 133 Determining a Finite Set of Behaviors to Improve 134 Behavioral Change Strategies 135 Traditional Project Management 137 Change Management 137 Is Culture Your Ally? 138 10 User Metrics 141 The Importance of Metrics 141 The Hidden Cost of Awareness 142 Types of Awareness Metrics 143 Compliance Metrics 144 Engagement Metrics 145 Behavioral Improvement 147 Tangible ROI 149 Intangible Benefits 149 Day 0 Metrics 150 Deserve More 151 11 The Kill Chain 153 Kill Chain Principles 154 The Military Kill Chain 154 The Cyber Kill Chain and Defense in Depth 155 Deconstructing the Cyber Kill Chain 157 Phishing Kill Chain Example 159 Other Models and Frameworks 162 Applying Kill Chains to UIL 164 12 Total Quality Management Revisited 167 TQM: In Search of Excellence 168 Exponential Increase in Errors 169 Principles of TQM 171 What Makes TQM Fail? 172 Other Frameworks 174 Product Improvement and Management 177 Kill Chain for Process Improvement 178 COVID-19 Remote Workforce Process Activated 178 Applying Quality Principles 179 III Counter measures 181 13 Governance 183 Defining the Scope of Governance for Our Purposes 184 Operational Security or Loss Mitigation 185 Physical Security 186 Personnel Security 186 Traditional Governance 187 Policies, Procedures, and Guidelines 188 In the Workplace 190 Security and the Business 191 Analyzing Processes 192 Grandma’s House 194 14 Technical Countermeasures 197 Personnel Countermeasures 199 Background Checks 200 Continuous Monitoring 201 Employee Management Systems 201 Misuse and Abuse Detection 202 Data Leak Prevention 203 Physical Countermeasures 203 Access Control Systems 203 Surveillance and Safety Systems 204 Point-of-Sale Systems 206 Inventory Systems and Supply Chains 207 Computer Tracking Systems 207 Operational Countermeasures 208 Accounting Systems 209 Customer Relationship Management 210 Operational Technology 210 Workflow Management 211 Cybersecurity Countermeasures 212 The 20 CIS Controls and Resources 212 Anti-malware Software 213 Whitelisting 214 Firewalls 214 Intrusion Detection/Prevention Systems 215 Managed Security Services 215 Backups 215 Secure Configurations 216 Automated Patching 216 Vulnerability Management Tools 217 Behavioral Analytics 217 Data Leak Prevention 218 Web Content Filters/Application Firewalls 218 Wireless and Remote Security 219 Mobile Device Management 219 Multifactor Authentication 220 Single Sign-On 221 Encryption 221 Nothing is Perfect 223 Putting It All Together 223 15 Creating Effective Awareness Programs 225 What is Effective Awareness? 226 Governance as the Focus 227 Where Awareness Strategically Fits in the Organization 229 The Goal of Awareness Programs 230 Changing Culture 231 Defining Subcultures 232 Interdepartmental Cooperation 233 The Core of All Awareness Efforts 234 Process 235 Business Drivers 237 Culture and Communication Tools 238 Putting It Together 245 Metrics 246 Gamification 246 Gamification Criteria 247 Structuring Gamification 248 Gamification is Not for Everyone 248 Getting Management’s Support 249 Awareness Programs for Management 249 Demonstrate Clear Business Value 250 Enforcement 250 Experiment 251 IV Applying Boom 253 16 Start with Boom 255 What Are the Actions That Initiate UIL? 257 Start with a List 257 Order the List 258 Metrics 259 Governance 260 User Experience 261 Prevention and Detection 262 Awareness 263 Feeding the Cycle 263 Stopping Boom 264 17 Right of Boom 265 Repeat as Necessary 266 What Does Loss Initiation Look Like? 267 What Are the Potential Losses? 268 Preventing the Loss 272 Compiling Protective Countermeasures 273 Detecting the Loss 274 Before, During, and After 275 Mitigating the Loss 276 Determining Where to Mitigate 277 Avoiding Analysis Paralysis 278 Your Last Line of Defense 278 18 Preventing Boom 279 Why Are We Here? 280 Reverse Engineering 281 Governance 283 Awareness 284 Technology 285 Step-by-Step 287 19 Determining the Most Effective Countermeasures 289 Early Prevention vs Response 290 Start with Governance 292 Understand the Business Goal 293 Start Left of Boom 294 Consider Technology 295 Prioritize Potential Loss 296 Define Governance Thoroughly 297 Matrix Technical Countermeasures 299 Creating the Matrix 300 Define Awareness 301 It’s Just a Start 302 20 Implementation Considerations 303 You’ve Got Issues 304 Weak Strategy 304 Resources, Culture, and Implementation 305 Lack of Ownership and Accountability 307 One Effort at a Time 308 Change Management 308 Adopting Changes 309 Governance, Again 314 Business Case for a Human Security Officer 315 It Won’t Be Easy 316 21 If You Have Stupid Users, You Have a Stupid System 317 A User Should Never Surprise You 317 Perform Some More Research 318 Start Somewhere 319 Take Day Zero Metrics 320 UIL Mitigation is a Living Process 320 Grow from Success 321 The Users Are Your Canary in the Mine 322 Index 325

Summary: Stopping Losses from Accidental and Malicious Actions Around the world, users cost organizations billions of dollars due to simple errors and malicious actions. They believe that there is some deficiency in the users. In response, organizations believe that they have to improve their awareness efforts and making more secure users. This is like saying that coalmines should get healthier canaries. The reality is that it takes a multilayered approach that acknowledges that users will inevitably make mistakes or have malicious intent, and the failure is in not planning for that. It takes a holistic approach to assessing risk combined with technical defenses and countermeasures layered with a security culture and continuous improvement. Only with this kind of defense in depth can organizations hope to prevent the worst of the cybersecurity breaches and other user-initiated losses. Using lessons from tested and proven disciplines like military kill-chain analysis, counterterrorism analysis, industrial safety programs, and more, Ira Winkler and Dr. Tracy Celaya's You CAN Stop Stupid provides a methodology to analyze potential losses and determine appropriate countermeasures to implement. Minimize business losses associated with user failings Proactively plan to prevent and mitigate data breaches Optimize your security spending Cost justify your security and loss reduction efforts Improve your organization’s culture Business technology and security professionals will benefit from the information provided by these two well-known and influential cybersecurity speakers and experts.

Tags from this library: No tags from this library for this title. Log in to add tags.

Average rating: 0.0 (0 votes)

Holdings ( 1 )
Title notes
Comments ( 0 )

Item type	Current location	Home library	Call number	Status	Date due	Barcode	Item holds
EBOOK	COLLEGE LIBRARY	COLLEGE LIBRARY	658.47 W7294 2020 (Browse shelf)	Available		CL-52839

Total holds: 0

Browsing COLLEGE LIBRARY Shelves Close shelf browser

Previous								Next
Previous	658.46 Sch25 1987 Process consultation : lessons for managers and consultants /	658.47 B454 1975 Secret armies : the growth of corporate and industrial espionage /	658.47 D952 1999 Competitive intelligence for the competitive edge /	658.47 W7294 2020 You can stop stupid : stopping losses from accidental and malicious actions /	658.472 B4461 2024 Business intelligence : from data integration to analytics /	658.472 C7384 2011 Competitive intelligence and decision problems /	658.472 H849 2008 Successful business intelligence : secrets to making BI a killer app /	Next

Includes index.

Ira Winkler, CISSP, is President of Secure Mentem and is widely viewed as one of the world's most influential security professionals. Ira is the recipient of several prestigious industry awards, including being named "The Awareness Crusader" by CSO magazine in receiving their CSO COMPASS Award. Dr. Tracy Celaya Brown, CISSP, is President of Go Consulting International. She is a sought-after consultant in IT Security Program Management, Organizational Development, and Change Management.

Table of contents

Forword xiii

Introduction xxvii

I Stopping Stupid is Your Job 1

1 Failure: The Most Common Option 3

History is Not on the Users’ Side 4

Today’s Common Approach 6

Operational and Security Awareness 6

Technology 7

Governance 8

We Propose a Strategy, Not Tactics 9

2 Users Are Part of the System 11

Understanding Users’ Role in the System 11

Users Aren’t Perfect 13

“Users” Refers to Anyone in Any Function 13

Malice is an Option 14

What You Should Expect from Users 15

3 What is User-Initiated Loss? 17

Processes 18

Culture 20

Physical Losses 22

Crime 24

User Malice 25

Social Engineering 27

User Error 28

Inadequate Training 29

Technology Implementation 30

Design and Maintenance 31

User Enablement 32

Shadow IT 33

Confusing Interfaces 35

UIL is Pervasive 35

II Foundational Concepts 37

4 Risk Management 39

Death by 1,000 Cuts 40

The Risk Equation 41

Value 43

Threats 47

Vulnerabilities 48

Countermeasures 54

Risk Optimization 60

Risk and User-Initiated Loss 63

5 The Problems with Awareness Efforts 65

Awareness Programs Can Be Extremely Valuable 65

Check-the-Box Mentality 66

Training vs Awareness 68

The Compliance Budget 68

Shoulds vs Musts 70

When It’s Okay to Blame the User 72

Awareness Programs Do Not Always Translate into Practice 74

Structural Failings of Awareness Programs 75

Further Considerations 77

6 Protection, Detection, and Reaction 79

Conceptual Overview 80

Protection 81

Detection 82

Reaction 84

Mitigating a Loss in Progress 86

Mitigating Future Incidents 87

Putting It All Together 88

7 Lessons from Safety Science 89

The Limitations of Old-School Safety Science 91

Most UIL Prevention Programs Are Old-School 93

The New School of Safety Science 94

Putting Safety Science to Use 96

Safety Culture 97

The Need to Not Remove All Errors 98

When to Blame Users 100

We Need to Learn from Safety Science 100

8 Applied Behavioral Science 103

The ABCs of Behavioral Science 105

Antecedents 106

Behaviors 111

Consequences 112

Engineering Behavior vs Influencing Behavior 120

9 Security Culture and Behavior 123

ABCs of Culture 125

Types of Cultures 127

Subcultures 130

What is Your Culture? 132

Improving Culture 133

Determining a Finite Set of Behaviors to Improve 134

Behavioral Change Strategies 135

Traditional Project Management 137

Change Management 137

Is Culture Your Ally? 138

10 User Metrics 141

The Importance of Metrics 141

The Hidden Cost of Awareness 142

Types of Awareness Metrics 143

Compliance Metrics 144

Engagement Metrics 145

Behavioral Improvement 147

Tangible ROI 149

Intangible Benefits 149

Day 0 Metrics 150

Deserve More 151

11 The Kill Chain 153

Kill Chain Principles 154

The Military Kill Chain 154

The Cyber Kill Chain and Defense in Depth 155

Deconstructing the Cyber Kill Chain 157

Phishing Kill Chain Example 159

Other Models and Frameworks 162

Applying Kill Chains to UIL 164

12 Total Quality Management Revisited 167

TQM: In Search of Excellence 168

Exponential Increase in Errors 169

Principles of TQM 171

What Makes TQM Fail? 172

Other Frameworks 174

Product Improvement and Management 177

Kill Chain for Process Improvement 178

COVID-19 Remote Workforce Process Activated 178

Applying Quality Principles 179

III Counter measures 181

13 Governance 183

Defining the Scope of Governance for Our Purposes 184

Operational Security or Loss Mitigation 185

Physical Security 186

Personnel Security 186

Traditional Governance 187

Policies, Procedures, and Guidelines 188

In the Workplace 190

Security and the Business 191

Analyzing Processes 192

Grandma’s House 194

14 Technical Countermeasures 197

Personnel Countermeasures 199

Background Checks 200

Continuous Monitoring 201

Employee Management Systems 201

Misuse and Abuse Detection 202

Data Leak Prevention 203

Physical Countermeasures 203

Access Control Systems 203

Surveillance and Safety Systems 204

Point-of-Sale Systems 206

Inventory Systems and Supply Chains 207

Computer Tracking Systems 207

Operational Countermeasures 208

Accounting Systems 209

Customer Relationship Management 210

Operational Technology 210

Workflow Management 211

Cybersecurity Countermeasures 212

The 20 CIS Controls and Resources 212

Anti-malware Software 213

Whitelisting 214

Firewalls 214

Intrusion Detection/Prevention Systems 215

Managed Security Services 215

Backups 215

Secure Configurations 216

Automated Patching 216

Vulnerability Management Tools 217

Behavioral Analytics 217

Data Leak Prevention 218

Web Content Filters/Application Firewalls 218

Wireless and Remote Security 219

Mobile Device Management 219

Multifactor Authentication 220

Single Sign-On 221

Encryption 221

Nothing is Perfect 223

Putting It All Together 223

15 Creating Effective Awareness Programs 225

What is Effective Awareness? 226

Governance as the Focus 227

Where Awareness Strategically Fits in the Organization 229

The Goal of Awareness Programs 230

Changing Culture 231

Defining Subcultures 232

Interdepartmental Cooperation 233

The Core of All Awareness Efforts 234

Process 235

Business Drivers 237

Culture and Communication Tools 238

Putting It Together 245

Metrics 246

Gamification 246

Gamification Criteria 247

Structuring Gamification 248

Gamification is Not for Everyone 248

Getting Management’s Support 249

Awareness Programs for Management 249

Demonstrate Clear Business Value 250

Enforcement 250

Experiment 251

IV Applying Boom 253

16 Start with Boom 255

What Are the Actions That Initiate UIL? 257

Start with a List 257

Order the List 258

Metrics 259

Governance 260

User Experience 261

Prevention and Detection 262

Awareness 263

Feeding the Cycle 263

Stopping Boom 264

17 Right of Boom 265

Repeat as Necessary 266

What Does Loss Initiation Look Like? 267

What Are the Potential Losses? 268

Preventing the Loss 272

Compiling Protective Countermeasures 273

Detecting the Loss 274

Before, During, and After 275

Mitigating the Loss 276

Determining Where to Mitigate 277

Avoiding Analysis Paralysis 278

Your Last Line of Defense 278

18 Preventing Boom 279

Why Are We Here? 280

Reverse Engineering 281

Governance 283

Awareness 284

Technology 285

Step-by-Step 287

19 Determining the Most Effective Countermeasures 289

Early Prevention vs Response 290

Start with Governance 292

Understand the Business Goal 293

Start Left of Boom 294

Consider Technology 295

Prioritize Potential Loss 296

Define Governance Thoroughly 297

Matrix Technical Countermeasures 299

Creating the Matrix 300

Define Awareness 301

It’s Just a Start 302

20 Implementation Considerations 303

You’ve Got Issues 304

Weak Strategy 304

Resources, Culture, and Implementation 305

Lack of Ownership and Accountability 307

One Effort at a Time 308

Change Management 308

Adopting Changes 309

Governance, Again 314

Business Case for a Human Security Officer 315

It Won’t Be Easy 316

21 If You Have Stupid Users, You Have a Stupid System 317

A User Should Never Surprise You 317

Perform Some More Research 318

Start Somewhere 319

Take Day Zero Metrics 320

UIL Mitigation is a Living Process 320

Grow from Success 321

The Users Are Your Canary in the Mine 322

Index 325

Stopping Losses from Accidental and Malicious Actions

Around the world, users cost organizations billions of dollars due to simple errors and malicious actions. They believe that there is some deficiency in the users. In response, organizations believe that they have to improve their awareness efforts and making more secure users. This is like saying that coalmines should get healthier canaries. The reality is that it takes a multilayered approach that acknowledges that users will inevitably make mistakes or have malicious intent, and the failure is in not planning for that. It takes a holistic approach to assessing risk combined with technical defenses and countermeasures layered with a security culture and continuous improvement. Only with this kind of defense in depth can organizations hope to prevent the worst of the cybersecurity breaches and other user-initiated losses.

Using lessons from tested and proven disciplines like military kill-chain analysis, counterterrorism analysis, industrial safety programs, and more, Ira Winkler and Dr. Tracy Celaya's You CAN Stop Stupid provides a methodology to analyze potential losses and determine appropriate countermeasures to implement.

Minimize business losses associated with user failings
Proactively plan to prevent and mitigate data breaches
Optimize your security spending
Cost justify your security and loss reduction efforts
Improve your organization’s culture

Business technology and security professionals will benefit from the information provided by these two well-known and influential cybersecurity speakers and experts.

There are no comments for this item.

to post a comment.