Security Awareness For Dummies

Оглавление

Ira Winkler. Security Awareness For Dummies

Security Awareness For Dummies® To view this book's Cheat Sheet, simply go to www.dummies.com and search for “Security Awareness For Dummies Cheat Sheet” in the Search box. Table of Contents

List of Illustrations

Guide

Pages

Introduction

About This Book

Foolish Assumptions

Icons Used in This Book

Beyond the Book

Where to Go from Here

Getting to Know Security Awareness

Knowing How Security Awareness Programs Work

Understanding the Benefits of Security Awareness

Reducing losses from phishing attacks

Reducing losses by reducing risk

Grasping how users initiate loss

Knowing How Security Awareness Programs Work

Establishing and measuring goals

GETTING THE BUDGET YOU NEED

Showing users how to “do things right”

Recognizing the Role of Awareness within a Security Program

Disputing the Myth of the Human Firewall

Starting On the Right Foot: Avoiding What Doesn’t Work

Making a Case Beyond Compliance Standards

CHECKING THE BOX MIGHT NOT BE JUST FOR AWARENESS

Treating Compliance as a Must

Motivating users to take action

Working within the compliance budget

Limiting the Popular Awareness Theories

Applying psychology to a diverse user base

IF YOU SEE SOMETHING, SAY SOMETHING

Differentiating between marketing and awareness

Distinguishing Social Engineering from Security Awareness

Addressing Mental Models That Don’t Work

Making Perfection the Stated Goal

Measuring from the Start

Prioritizing Program Over Product

Choosing Substance Over Style

Understanding the Role of Security Awareness

Applying the Science Behind Human Behavior and Risk Management

Achieving Common Sense through Common Knowledge

Borrowing Ideas from Safety Science

Recognizing incidents as system failures

Responding to incidents

Applying Accounting Practices to Security Awareness

Applying the ABCs of Awareness

Benefiting from Group Psychology

The ABCs of behavioral science

The Fogg Behavior Model

Relating B:MAP to the ABCs of awareness and behavior

The Forgetting Curve

Remembering That It’s All About Risk

Optimizing risk

The risk formula

Value

Threat

DEALING WITH NATURAL DISASTERS

Vulnerabilities

Countermeasures

Building a Security Awareness Program

Creating a Security Awareness Strategy

Identifying the Components of an Awareness Program

KNOWING SOME BASIC TERMINOLOGY

Choosing effective communications tools

Picking topics based on business drivers

Knowing when you’re a success

GAMIFICATION

Figuring Out How to Pay for It All

Determining Culture and Business Drivers

Understanding Your Organization’s Culture

Determining security culture

Recognizing how culture relates to business drivers

Identifying Subcultures

Interviewing Stakeholders

Requesting stakeholder interviews

Scheduling the interviews

Creating interview content

Taking names

Partnering with Other Departments

Choosing What to Tell The Users

Basing Topics on Business Drivers

Incorporating Personal Awareness Topics

Motivating Users to Do Things “Right”

Common Topics Covered in Security Awareness Programs

Phishing

Social engineering

Texting and instant messaging security

Physical security

Malware

Ransomware

Password security

Cloud security

USB device security

Internet of Things

Travel security

Wi-Fi security

Mobile devices

Work from home

Basic computer security

Insider threat

Protecting children on the internet

Social media security

Moving security

Compliance topics

Choosing the Best Tools for the Job

Identifying Security Ambassadors

Finding ambassadors

Maintaining an ambassador program

Knowing the Two Types of Communications Tools

Reminding users to take action

Requiring interaction from users

THE HIDDEN COST OF SECURITY AWARENESS

Exploring Your Communications Arsenal

Knowledgebase

Posters

Hardcopy newsletters

Monitor displays

Screen savers

Pamphlets

Desk drops

Table tents

Coffee cups or sleeves

Stickers

Mouse pads

Pens and other useful giveaways

Camera covers

Squishy toys and other fun giveaways

Active communications tools

Computer based training

Contests

Events

FINDING OUTSIDE SPEAKERS

MANDATORY OR NOT?

Measuring Performance

THE NEXT GENERATION OF AWARENESS TOOLS

Knowing the Hidden Cost of Awareness Efforts

Meeting Compliance Requirements

KEEPING YOUR EYE ON REGULATIONS AND LAWSUITS

Collecting Engagement Metrics

Attendance metrics

Likability metrics

Knowledge metrics

Measuring Improved Behavior

Tracking the number of incidents

OBSERVING SECURITY BEHAVIOR

Examining behavior with simulations

TURNING SIMULATIONS INTO TEACHABLE MOMENTS

Tracking behavior with gamification

Demonstrating a Tangible Return on Investment

Recognizing Intangible Benefits of Security Awareness

Knowing Where You Started: Day 0 Metrics

Putting Your Security Awareness Program Into Action

Assembling Your Security Awareness Program

Knowing Your Budget

BENEFITING FROM AN INCIDENT WINDFALL

Finding additional sources for funding

Securing additional executive support

Coordinating with other departments

WORKING WITH CORPORATE COMMUNICATIONS

Allocating for your musts

Limiting your discretionary budget

Appreciating your team as your most valuable resource

Choosing to Implement One Program or Multiple Programs

Managing multiple programs

Beginning with one program

Gaining Support from Management

CREATING AN EXECUTIVE AWARENESS PROGRAM

Devising a Quarterly Delivery Strategy

Ensuring that your message sticks

Distributing topics over three months

ACCOMMODATING DELAYS WITHIN A QUARTERLY SCHEDULE

Deciding Whether to Include Phishing Simulations

Planning Which Metrics to Collect and When

Considering metrics versus topics

Choosing three behavioral metrics

Incorporating Day 0 metrics

Scheduling periodic updates

Biasing your metrics

Branding Your Security Awareness Program

Creating a theme

Maintaining brand consistency

Coming up with a catchphrase and logo

Promoting your program with a mascot

Running Your Security Awareness Program

Nailing the Logistics

Determining sources or vendors

Scheduling resources and distribution

Contracting vendors

Recognizing the role of general project management

Getting All Required Approvals

Getting the Most from Day 0 Metrics

ADAPTING PHISHING EXERCISES FOR METRICS COLLECTION

Creating Meaningful Reports

Presenting reports as a graphical dashboard

Adding index scores

Creating an awareness index

Reevaluating Your Program

Reconsidering your metrics

Evaluating your communications tools

Measuring behavioral changes

Redesigning Your Program

Anything stand out?

Adding subcultures

Adding, deleting, and continuing metrics

Adding and discontinuing communications tools

Revisiting awareness topics

Considering Breaking News and Incidents

THE COVID-19 IMPACT

Implementing Gamification

Understanding Gamification

Identifying the Four Attributes of Gamification

Figuring Out Where to Gamify Awareness

Examining Some Tactical Gamification Examples

Phishing reporting

Clean desk drops

Tailgating exercises

USB drop reporting

Reporting security incidents

Ad hoc gamification

Putting Together a Gamification Program

Determining reward tiers

Assigning point levels

HOW POKEMON GO DEALS WITH POINTS

Creating a theme

Offering valid rewards

Assigning points to behaviors

Tracking users and the points they earn

Promoting the Program

Running Phishing Simulation Campaigns

Knowing Why Phishing Simulations Matter

Setting Goals for Your Phishing Program

Checking the box

Producing easy metrics

Benefiting from just-in-time training

Differentiating between risky and secure users

Planning a Phishing Program

Identifying the players

Obtaining permission and buy-in

Allocating enough time for phishing simulations

Choosing responsive tools

Choosing a Phishing Tool

Creating custom phishing tools

Choosing vendor options

Knowing which options are available

Separating CBT and phishing vendors

Matching vendor features to your needs

Identifying features that can cause problems

Hiring managed services

Integrating machine learning

Implementing a Phishing Simulation Program

Integrating Active Directory

Working with subcultures and geographies

Choosing languages

Registering phishing domains

Defining program goals

Collecting Day 0 metrics

Running a Phishing Simulation

Determining the targets

Preparing the lures

Determining the sophistication of the test

CONSIDERING PHISHING SERVICE PROVIDERS

Constructing the lures

Finding lure ideas

COOKING THE BOOKS

Adhering to ethical considerations

Creating landing pages

Addressing logistical concerns

Coordinating whitelisting and working around spam filters

Adding gamification

Determining phishing frequency

Scheduling the tests

Anticipating user responses

Alerting the appropriate parties

Conducting a pilot test

Tracking Metrics and Identifying Trends

Dealing with Repeat Offenders

Management Reporting

The Part of Tens

Ten Ways to Win Support for Your Awareness Program

Finding Yourself a Champion

Setting the Right Expectations

Addressing Business Concerns

Creating an Executive Program

Starting Small and Simple

Finding a Problem to Solve

Establishing Credibility

Highlighting Actual Incidents

Being Responsive

Looking for Similar Programs

Ten Ways to Make Friends and Influence People

Garnering Active Executive Support

Courting the Organization’s Influencers

Supporting Another Project That Has Support

Choosing Topics Important to Individuals

Having Some Fun Events

Don’t Promise Perfection

Don’t Overdo the FUD Factor

Scoring an Early Win

Using Real Gamification

Integrating the Organization’s Mission Statement

Ten Fundamental Awareness Topics

Phishing

Business Email Compromise

Mobile Device Security

Home Network and Computer Security

Password Security

Social Media Security

Physical Security

Malware and Ransomware

Social Engineering

It Can Happen to You

Ten Helpful Security Awareness Resources

ASSESSING RESOURCES BEYOND THIS BOOK

Security Awareness Special Interest Group

CybSafe Research Library

Cybersecurity Culture Guidelines

RSA Conference Library

You Can Stop Stupid

The Work of Sydney Dekker

Human Factors Knowledge Area

People-Centric Security

Human Security Engineering Consortium

How to Run a Security Awareness Program Course

Sample Questionnaire

Questions for the CISO or Similar Position

Questions for All Employees

Questions for the HR Department

Questions for the Legal Department

Questions for the Communications Department

Questions Regarding the Appropriate Person for Physical Security

Index. A

B

C

D

E

F

G

H

I

J

K

L

M

N

O

P

Q

R

S

T

U

V

W

Y

About the Author

Dedication

Author’s Acknowledgments

WILEY END USER LICENSE AGREEMENT

Отрывок из книги

Creating security awareness among users is much more difficult and complicated than just telling them, “Bad people will try to trick you. Don’t fall for their tricks.” Not only is that advice usually insufficient, but you also have to account for much more than just bad people tricking your users. People lose equipment. They frequently know what to do, but have competing priorities. They may just not care. Relying on the user knowing what to do is not a silver bullet that creates a true firewall. However, with the right plan and strategy, you can make a measurable difference in improving user behavior. This book puts you on the right path to creating effective security awareness programs that meaningfully reduce risk to your organization.

I started my career in cybersecurity performing social engineering and penetration tests. I put together teams of former special forces officers and intelligence operatives, and we targeted companies as nation-states would. I focused on black bag operations, which often consist of clandestine activities such as lock picking or safecracking, and otherwise infiltrating protected facilities. I went undercover to infiltrate organizations and persuade users to give me sensitive information. These operations led to the theft of reportedly billions of dollars of information and intellectual property. (I gave it all back.)

.....

Dealing with user-initiated loss (after all, the actions can be either unintentional or malicious) requires a comprehensive strategy to deal with not just the user action but also whatever enables the user to be in the position to create a loss and then to have the loss realized. You can’t blame a user for what is typically, again, a complex set of failures.

Though it’s true that, as an awareness professional, you can just do your job and operate in a vacuum, doing so inevitably leads to failure. It goes against the argument that you deserve more. This doesn’t mean that the failure wouldn’t happen even if everyone cooperated, but operating in a vacuum sends the wrong message.

.....