CHF22.80
Download est disponible immédiatement
Stopping Losses from Accidental and Malicious Actions
Around the world, users cost organizations billions of dollars due to simple errors and malicious actions. They believe that there is some deficiency in the users. In response, organizations believe that they have to improve their awareness efforts and making more secure users. This is like saying that coalmines should get healthier canaries. The reality is that it takes a multilayered approach that acknowledges that users will inevitably make mistakes or have malicious intent, and the failure is in not planning for that. It takes a holistic approach to assessing risk combined with technical defenses and countermeasures layered with a security culture and continuous improvement. Only with this kind of defense in depth can organizations hope to prevent the worst of the cybersecurity breaches and other user-initiated losses.
Using lessons from tested and proven disciplines like military kill-chain analysis, counterterrorism analysis, industrial safety programs, and more, Ira Winkler and Dr. Tracy Celaya's You CAN Stop Stupid provides a methodology to analyze potential losses and determine appropriate countermeasures to implement.
Minimize business losses associated with user failings
Proactively plan to prevent and mitigate data breaches
Optimize your security spending
Cost justify your security and loss reduction efforts
Improve your organization's culture
Business technology and security professionals will benefit from the information provided by these two well-known and influential cybersecurity speakers and experts.
Auteur
Ira Winkler, CISSP, is President of Secure Mentem and is widely viewed as one of the world's most influential security professionals. Ira is the recipient of several prestigious industry awards, including being named "The Awareness Crusader" by CSO magazine in receiving their CSO COMPASS Award. Dr. Tracy Celaya Brown, CISSP, is President of Go Consulting International. She is a sought-after consultant in IT Security Program Management, Organizational Development, and Change Management.
Résumé
Stopping Losses from Accidental and Malicious Actions
Around the world, users cost organizations billions of dollars due to simple errors and malicious actions. They believe that there is some deficiency in the users. In response, organizations believe that they have to improve their awareness efforts and making more secure users. This is like saying that coalmines should get healthier canaries. The reality is that it takes a multilayered approach that acknowledges that users will inevitably make mistakes or have malicious intent, and the failure is in not planning for that. It takes a holistic approach to assessing risk combined with technical defenses and countermeasures layered with a security culture and continuous improvement. Only with this kind of defense in depth can organizations hope to prevent the worst of the cybersecurity breaches and other user-initiated losses.
Using lessons from tested and proven disciplines like military kill-chain analysis, counterterrorism analysis, industrial safety programs, and more, Ira Winkler and Dr. Tracy Celaya's You CAN Stop Stupid provides a methodology to analyze potential losses and determine appropriate countermeasures to implement.
Contenu
Forword xiii
Introduction xxvii
I Stopping Stupid is Your Job 1
1 Failure: The Most Common Option 3
History is Not on the Users' Side 4
Today's Common Approach 6
Operational and Security Awareness 6
Technology 7
Governance 8
We Propose a Strategy, Not Tactics 9
2 Users Are Part of the System 11
Understanding Users' Role in the System 11
Users Aren't Perfect 13
Users Refers to Anyone in Any Function 13
Malice is an Option 14
What You Should Expect from Users 15
3 What is User-Initiated Loss? 17
Processes 18
Culture 20
Physical Losses 22
Crime 24
User Malice 25
Social Engineering 27
User Error 28
Inadequate Training 29
Technology Implementation 30
Design and Maintenance 31
User Enablement 32
Shadow IT 33
Confusing Interfaces 35
UIL is Pervasive 35
II Foundational Concepts 37
4 Risk Management 39
Death by 1,000 Cuts 40
The Risk Equation 41
Value 43
Threats 47
Vulnerabilities 48
Countermeasures 54
Risk Optimization 60
Risk and User-Initiated Loss 63
5 The Problems with Awareness Efforts 65
Awareness Programs Can Be Extremely Valuable 65
Check-the-Box Mentality 66
Training vs Awareness 68
The Compliance Budget 68
Shoulds vs Musts 70
When It's Okay to Blame the User 72
Awareness Programs Do Not Always Translate into Practice 74
Structural Failings of Awareness Programs 75
Further Considerations 77
6 Protection, Detection, and Reaction 79
Conceptual Overview 80
Protection 81
Detection 82
Reaction 84
Mitigating a Loss in Progress 86
Mitigating Future Incidents 87
Putting It All Together 88
7 Lessons from Safety Science 89
The Limitations of Old-School Safety Science 91
Most UIL Prevention Programs Are Old-School 93
The New School of Safety Science 94
Putting Safety Science to Use 96
Safety Culture 97
The Need to Not Remove All Errors 98
When to Blame Users 100
We Need to Learn from Safety Science 100
8 Applied Behavioral Science 103
The ABCs of Behavioral Science 105
Antecedents 106
Behaviors 111
Consequences 112
Engineering Behavior vs Influencing Behavior 120
9 Security Culture and Behavior 123
ABCs of Culture 125
Types of Cultures 127
Subcultures 130
What is Your Culture? 132
Improving Culture 133
Determining a Finite Set of Behaviors to Improve 134
Behavioral Change Strategies 135
Traditional Project Management 137
Change Management 137
Is Culture Your Ally? 138
10 User Metrics 141
The Importance of Metrics 141
The Hidden Cost of Awareness 142
Types of Awareness Metrics 143
Compliance Metrics 144
Engagement Metrics 145
Behavioral Improvement 147
Tangible ROI 149
Intangible Benefits 149
Day 0 Metrics 150
Deserve More 151
11 The Kill Chain 153
Kill Chain Principles 154
The Military Kill Chain 154
The Cyber Kill Chain and Defense in Depth 155
Deconstructing the Cyber Kill Chain 157
Phishing Kill Chain Example 159
Other Models and Frameworks 162 <...