Оглавление
Ira Winkler. You CAN Stop Stupid
Table of Contents
List of Tables
List of Illustrations
Guide
Pages
You CAN Stop Stupid. Stopping Losses from Accidental and Malicious Actions
Introduction
What Is Stupid?
Do You Create Stupidity?
How Smart Organizations Become Smart
Not All Industries Are as Smart
Deserve More
Reader Support for This Book
How to Contact the Publisher
How to Contact the Authors
I Stopping Stupid Is Your Job
1 Failure: The Most Common Option
History Is Not on the Users’ Side
Today's Common Approach
Operational and Security Awareness
Technology
Governance
We Propose a Strategy, Not Tactics
2 Users Are Part of the System
Understanding Users' Role in the System
Users Aren't Perfect
“Users” Refers to Anyone in Any Function
Malice Is an Option
What You Should Expect from Users
3 What Is User-Initiated Loss?
Processes
Culture
Physical Losses
Crime
User Malice
Social Engineering
User Error
Inadequate Training
Technology Implementation
Design and Maintenance
User Enablement
Shadow IT
Confusing Interfaces
UIL Is Pervasive
II Foundational Concepts
4 Risk Management
Death by 1,000 Cuts
The Risk Equation
Value
Monetary Value
Opportunity Value
Reputation Value
Value to Potential Attackers
Threats
Vulnerabilities
Physical Vulnerabilities
Operational Vulnerabilities
Personnel Vulnerabilities
Technical Vulnerabilities
THE TWO WAYS TO HACK A COMPUTER
Countermeasures
Protection, Detection, and Reaction
Accept, Avoid, Mitigate, Transfer
TIME'S ROLE IN COUNTERMEASURES
Types of Countermeasures
Physical Countermeasures
Operational Countermeasures
Personnel Countermeasures
Technical Countermeasures
Risk Optimization
Risk and User-Initiated Loss
5 The Problems with Awareness Efforts
Awareness Programs Can Be Extremely Valuable
Check-the-Box Mentality
Training vs. Awareness
The Compliance Budget
Shoulds vs. Musts
SOMMELIER VS. GRANDMA
When It's Okay to Blame the User
Awareness Programs Do Not Always Translate into Practice
Structural Failings of Awareness Programs
Further Considerations
6 Protection, Detection, and Reaction
Conceptual Overview
Protection
Detection
Reaction
Mitigating a Loss in Progress
Mitigating Future Incidents
Putting It All Together
7 Lessons from Safety Science
The Limitations of Old-School Safety Science
Most UIL Prevention Programs Are Old-School
The New School of Safety Science
Putting Safety Science to Use
Safety Culture
The Need to Not Remove All Errors
When to Blame Users
We Need to Learn from Safety Science
8 Applied Behavioral Science
The ABCs of Behavioral Science
Antecedents
Passive Antecedents vs. Active Antecedents
ADDRESSING BACKGROUND NOISE
The Importance of Motivation
Behaviors
Consequences
THE ANTECEDENT WHO CRIED WOLF
Gamification
Analyzing Consequences
E-TIP Overview
Engineering Behavior vs. Influencing Behavior
9 Security Culture and Behavior
BEHAVIORAL MOTIVATION
ABCs of Culture
Types of Cultures
Subcultures
What Is Your Culture?
Improving Culture
Determining a Finite Set of Behaviors to Improve
Behavioral Change Strategies
WILL BEHAVIORAL CHANGE STICK?
Traditional Project Management
Change Management
Is Culture Your Ally?
10 User Metrics
The Importance of Metrics
The Hidden Cost of Awareness
Types of Awareness Metrics
Compliance Metrics
Engagement Metrics
Attendance Metrics
Likability Metrics
Knowledge Level
Behavioral Improvement
Tangible ROI
Intangible Benefits
Day 0 Metrics
Deserve More
11 The Kill Chain
Kill Chain Principles
The Military Kill Chain
The Cyber Kill Chain and Defense in Depth
Deconstructing the Cyber Kill Chain
Phishing Kill Chain Example
Other Models and Frameworks
APPLICATIONS OF MITRE ATT&CK
Applying Kill Chains to UIL
12 Total Quality Management Revisited
TQM: In Search of Excellence
Exponential Increase in Errors
Principles of TQM
What Makes TQM Fail?
Other Frameworks
Product Improvement and Management
Kill Chain for Process Improvement
COVID-19 Remote Workforce Process Activated
Applying Quality Principles
III Countermeasures
13 Governance
Defining the Scope of Governance for Our Purposes
Operational Security or Loss Mitigation
Physical Security
Personnel Security
Traditional Governance
Policies, Procedures, and Guidelines
In the Workplace
Security and the Business
Analyzing Processes
Grandma's House
14 Technical Countermeasures
SOFTWARE AS A SERVICE
Personnel Countermeasures
Background Checks
Continuous Monitoring
Employee Management Systems
Misuse and Abuse Detection
Data Leak Prevention
Physical Countermeasures
Access Control Systems
Surveillance and Safety Systems
Point-of-Sale Systems
Inventory Systems and Supply Chains
Computer Tracking Systems
Operational Countermeasures
Accounting Systems
Customer Relationship Management
Operational Technology
Workflow Management
Cybersecurity Countermeasures
The 20 CIS Controls and Resources
Anti-malware Software
Whitelisting
Firewalls
Intrusion Detection/Prevention Systems
Managed Security Services
Backups
Secure Configurations
Automated Patching
Vulnerability Management Tools
Behavioral Analytics
Data Leak Prevention
Web Content Filters/Application Firewalls
Wireless and Remote Security
Mobile Device Management
Multifactor Authentication
Single Sign-On
Encryption
Nothing Is Perfect
Putting It All Together
15 Creating Effective Awareness Programs
What Is Effective Awareness?
Governance as the Focus
Where Awareness Strategically Fits in the Organization
The Goal of Awareness Programs
Changing Culture
Defining Subcultures
Interdepartmental Cooperation
The Core of All Awareness Efforts
Process
Business Drivers
Culture and Communication Tools
Computer-Based Training
Phishing Simulations
Newsletters
Knowledge Base
Posters
Monitor Displays and Screensavers
Mouse Pads, Coffee Cups, and More
Special Events
Meetings
Ambassadors
Putting It Together
Metrics
Gamification
Gamification Criteria
Structuring Gamification
Gamification Is Not for Everyone
Getting Management's Support
Awareness Programs for Management
Demonstrate Clear Business Value
Enforcement
Experiment
IV Applying Boom
16 Start with Boom
What Are the Actions That Initiate UIL?
Start with a List
Order the List
Metrics
Governance
User Experience
Prevention and Detection
Awareness
Feeding the Cycle
Stopping Boom
17 Right of Boom
Repeat as Necessary
What Does Loss Initiation Look Like?
What Are the Potential Losses?
Preventing the Loss
Compiling Protective Countermeasures
Detecting the Loss
Before, During, and After
Mitigating the Loss
Determining Where to Mitigate
Avoiding Analysis Paralysis
Your Last Line of Defense
18 Preventing Boom
Why Are We Here?
Reverse Engineering
Governance
Awareness
Consider the Compliance Budget
Technology
Step-by-Step
19 Determining the Most Effective Countermeasures
Early Prevention vs. Response
Start with Governance
Understand the Business Goal
Removing the User
Start Left of Boom
Consider Technology
Prioritize Potential Loss
Define Governance Thoroughly
Matrix Technical Countermeasures
Creating the Matrix
Define Awareness
It's Just a Start
20 Implementation Considerations
You've Got Issues
Weak Strategy
Resources, Culture, and Implementation
Lack of Ownership and Accountability
One Effort at a Time
Change Management
Adopting Changes
Kubler-Ross Change Curve
J-Curve of Adoption or Diffusion of Innovation
Governance, Again
Business Case for a Human Security Officer
It Won't Be Easy
21 If You Have Stupid Users, You Have a Stupid System
A User Should Never Surprise You
Perform Some More Research
Start Somewhere
Take Day Zero Metrics
UIL Mitigation Is a Living Process
Grow from Success
The Users Are Your Canary in the Mine
Index
About the Authors
About the Technical Editors
Acknowledgments
Foreword
WILEY END USER LICENSE AGREEMENT
