Оглавление
Perry Carpenter. The Security Culture Playbook
Table of Contents
List of Tables
List of Illustrations
Guide
Pages
Praise for Perry Carpenter
Praise for Kai Roer
The Security Culture Playbook
Introduction
What Lies Ahead?
Part I: Foundation
Part II: Exploration
Part 3: Transformation
Reader Support for This Book
How to Contact the Publisher
How to Contact the Authors
Part I Foundation
Chapter 1 You Are Here
Why All the Buzz?
The Technology-Based Defense vs. Human-Based Defense Debate: A False Dilemma
What Is Security Culture, Anyway?
A Problem of Definition
A Problem of Overconfidence
Takeaways
Chapter 2 Up-leveling the Conversation: Security Culture Is a Board-level Concern
A View from the Top
Telling the Human Side of the Story
What's the Cost of Not Getting This Right?
Does the Breach Problem Mean Security Awareness Has Failed?
Cybercriminals Are Doubling Down on Their Attacks Against Your Employees
How Bad Is the Problem of Ransomware?
Your People and Security Culture Are at the Center of Everything
The Implication
Getting It Right
Takeaways
Chapter 3 The Foundations of Transformation
The Core Thesis
The Knowledge-Intention-Behavior Gap
Three Realities of Security Awareness
Program Focus
Extending the Discussion
Introducing the Security Culture Maturity Model
The Security Culture Maturity Model in Brief
The S-Curves
The Value of the Security Culture Maturity Model
You Are Always Either Building Strength or Allowing Atrophy
Takeaways
Part II Exploration
Chapter 4 Just What Is Security Culture, Anyway?
Lessons from Safety Culture
What's the Difference Between Safety and Security ?
A Jumble of Terms
Information Security Culture
IT Security Culture
Cybersecurity Culture
Security Culture in the Modern Day
Technology Focus
Compliance Focus
Human-Reality Focus
Security Culture Is in the Numbers
Takeaways
Chapter 5 Critical Concepts from the Social Sciences
What's the Real Goal—Awareness, Behavior, or Culture?
Coming to Terms with Our Irrational Nature
We Are Lazy
Never Underestimate the Power of Social Pressures
Why Don't We Just Give Up?
Security Culture—A Part of Organizational Culture
Takeaways
Chapter 6 The Components of Security Culture
A Problem of Definition
The Academic Perspective
The Practitioner Perspective
Defining Security Culture
Security Culture as Dimensions
The Seven Dimensions of Security Culture
The Seven Dimensions of Security Culture
Attitudes
Behaviors
Cognition
Communication
Compliance
Norms
Responsibilities
The Security Culture Survey
Example Findings from Measuring the Seven Dimensions
Normalized Use of Unauthorized Services
Confidentiality and Insider Threats
Last Thought
Takeaways
Note
Chapter 7 Interviews with Organizational Culture Experts and Academics
John R. Childress, PYXIS Culture Technologies Limited
Why Is Culture Important?
Why Do You Find Culture Interesting?
Is There a Specific Definition of Culture That You Find Useful?
What Actions Can Be Taken to Direct Cultural Change?
Is There a Success or Horror Story You'd Like to Share Related to Culture Change?
How Does a Culture Evolve (or How Often?)
Professor John McAlaney, Bournemouth University, UK
Why Is Culture Important?
Why Do You Find Culture Interesting?
Is There a Specific Definition of Culture That You Find Useful?
What Actions Can Be Taken to Direct Cultural Change?
Is There a Success or Horror Story You'd Like to Share Related to Culture Change? Alternative Question: What Is Your Most Interesting Experience with Culture?
How Does a Culture Evolve (or How Often?)
Dejun “Tony” Kong, PhD, Muma College of Business, University of South Florida
Why Is Culture Important?
Why Do You Find Culture Interesting?
Is There a Specific Definition of Culture That You Find Useful?
How Do You Use Metrics to Improve Culture / Measure the Effectiveness of Cultural Change?
Michael Leckie, Silverback Partners, LLC
Why Is Culture Important?
Why Do You Find Culture Interesting?
Is There a Specific Definition of Culture That You Find Useful?
How Do You Use Metrics to Improve Culture / Measure the Effectiveness of Cultural Change?
What Actions Can Be Taken to Direct Cultural Change?
Is There a Success or Horror Story You'd Like to Share Related to Culture Change? Alternative Question: What Is Your Most Interesting Experience with Culture?
How Does a Culture Evolve (or How Often?)
Part III Transformation
Chapter 8 Introducing the Security Culture Framework
Commit for the Long Haul
The Power of Three
Step 1: Measure
Know Where You are
Decide Where You Want to Be
Find Your Gap
Analyzing Your Results
Step 2: Involve
Building Support
Different Audiences
Step 3: Engage
Always Teaching, Always Learning
Rinse and Repeat
Benefits of Using the Security Culture Framework
Takeaways
Chapter 9 The Secrets to Measuring Security Culture
The Security Culture Survey: A History
Connecting Awareness, Behavior, and Culture
How Can You Measure the Unseen?
Using Existing Data
A Data Dilemma
The Right Way to Use Data
Methods of Measuring Culture
Observation
Experimentation
A Fun Experiment
Interrogation (Surveys and Interviews)
A/B Testing
Combining Metrics
Multiple Metrics, Single Score
Trends
Measure Iterations
A Note Regarding Completion Rates
Takeaways
Chapter 10 How to Influence Culture
Resistance to Change
Be Proactive
Not all Resistance Is Resistance to Security
The Complexity of Culture
Using the Seven Dimensions to Influence Your Security Culture
Attitudes
People Are Not Computers
Behaviors
Cognition
A Quick Warning
Communication
Compliance
A Note About Policy Enforcement and Relationship Management
Norms
Responsibilities
How Do You Know Which Dimension to Target?
You Are in It for the Long Haul
Takeaways
Notes
Chapter 11 Culture Sticking Points
Does Culture Change Have to Be Difficult?
Using Norms Is a Double-Edged Sword
Failing to Plan Is Planning to Fail
If You Try to Work Against Human Nature, You Will Fail
The First Two Realities of Security Awareness
Not Seeing the Culture You Are Embedded In
Breaking Away from Embedded Biases
Takeaways
Chapter 12 Planning and Maturing Your Program
Taking Stock of What We've Covered
Know Your ABCs
View Your Culture Through Your Employees' Eyes
Culture Carriers
Building and Modeling Maturity
Exploring the Data
Culture Maturity Indicators
Level 1: Basic Compliance
Level 2: Security Awareness Foundation
Level 3: Programmatic Security Awareness & Behavior
Level 4: Security Behavior Management
Level 5: Sustainable Security Culture
There Are Stories in the Data
A Seat at the Table
Takeaways
Chapter 13 Quick Tips for Gaining and Maintaining Support
You Are a Guide
Your Guiding Principle
Sell by Using Stories
The Power of Story
Lead with Empathy, Know Your Audience
Set Expectations
Use Metrics, But Only Where Helpful
Takeaways
Chapter 14 Interviews with Security Culture Thought Leaders
Alexandra Panaretos, Ernst & Young
Why Is Culture Important?
Why Do You Find Culture Interesting?
Is There a Success or Horror Story You'd Like to Share Related to Culture Change?
Dr. Jessica Barker, Cygenta
Why Is Security Culture Important?
Why Do You Find Culture Interesting?
What Actions Can Be Taken to Direct Cultural Change?
What Is Your Most Interesting Experience with Culture?
Kathryn Djebbar, Jaguar Land Rover
Why Is Culture Important?
Why Do You Find Culture Interesting?
Is There a Specific Definition of Culture That You Find Useful?
How Do You Use Metrics to Improve Culture / Measure the Effectiveness of Cultural Change?
What Actions Can Be Taken to Direct Cultural Change?
Lauren Zink, Boeing
Why Is Culture Important?
Why Do You Find Culture Interesting?
Is There a Specific Definition of Culture That You Find Useful?
How Do You Use Metrics to Improve Culture / Measure the Effectiveness of Cultural Change?
Mark Majewski, Rock Central
Why Is Culture Important?
Why Do You Find Culture Interesting?
Is There a Specific Definition of Culture That You Find Useful?
How Do You Use Metrics to Improve Culture / Measure the Effectiveness of Cultural Change?
What Actions Can Be Taken to Direct Cultural Change?
Is There a Success or Horror Story You'd Like to Share Related to Culture Change?
How Does a Culture Evolve (or How Often?)
Mo Amin, moamin.com
Why Is Culture Important?
Why Do You Find Culture Interesting?
Is There a Specific Definition of Culture That You Find Useful?
How Do You Use Metrics to Improve Culture / Measure the Effectiveness of Cultural Change?
What Actions Can Be Taken to Direct Cultural Change?
Is There a Success or Horror Story You'd Like to Share Related to Culture Change?
How Does a Culture Evolve (or How Often)?
Chapter 15 Parting Thoughts
Engage the Community
Be a Lifelong Learner
Certifications for Security Awareness and Culture Professionals
Be a Realistic Optimist
Conclusion
Bibliography
Index
About the Author
Acknowledgments
WILEY END USER LICENSE AGREEMENT
