A A/B testing, 122 –123
Abitibi-Price, 93
academic perspective, of security culture, 64 –65
action line, 137
activities, 109 –110
advocate programs, 160
Amin, Mo, 203 –205
antivirus software, 48
Arachchilage, N., 140
attitudes, as a dimension of security culture, 68 , 69 , 134 –136
audience, knowing your, 180 –183
awareness, 159
B Barker, Jessica, 193 –195
Basic Compliance (level 1) level, of Security Culture Maturity Model (SCMM), 165
behaviors
about, 159
connecting with security awareness and culture, 115 –116
as a dimension of security culture, 68 , 69 , 136 –138
shaping, as a type of program focus, 32 –33
Boeing, 197 –200
Bournemouth University, 82 –86
buy-in, 177 –185
C Capability Maturity Model (CMM) framework, 33
Carpenter, Perry (author)
about, 151
contact information for, 211 –212
Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors, 28 –33, 131 , 137 , 159
causation, correlation and, 124
certifications, 210
champion programs, 160
changeforce.ai, 91
Childress, John R. (thought leader), 62 , 78 –82
CIA triangle, 47
cognition, as a dimension of security culture, 68 , 69 –70, 133 –134, 138 –140
communication, as a dimension of security culture, 68 , 70 , 140 –141
community engagement, 208 –209
completion rates, 127 –128
compliance
as a dimension of security culture, 68 , 70 , 141 –142
as a type of program focus, 32 –33
compliance focus, of security culture, 48 –49
confidentiality
in CIA triangle, 47
security culture dimensions and, 74
correlation, causation and, 124
culture
about, 149 –150, 159
complexity of, 133 –134
connecting with security awareness and behavior, 115 –116
evolution of, 93 –94, 202
influencing, 129 –147
methods of measuring, 119 –122
recognizing, 155
culture carriers, 144 , 145 , 160
culture change
about, 129 –130
actions for, 80 –81, 84 –85, 91 –92, 194 , 201 , 204
being proactive, 131 –134
difficulty level of, 150 –151
evolution of, 82 , 85 –86
resistance to, 130 –131
stories related to, 81 –82, 85 , 93 , 190 –193, 202 , 204 –205
using metrics for measuring effectiveness of, 87 , 90 –91, 196 –197, 199 –200, 201 , 203 –204
culture drifts, 62 , 82 , 153
Culture Map, 140
Culture Maturity Indicator (CMI), 35 , 50 , 161 –165, 171 –174
customs, 66
cybercriminals, rise in attacks by, 19 –20
cybersecurity
cost of ignoring human side of, 16 –18
culture of, 46
human side of, 15 –16
Cybersecurity Canon Hall of Fame, 28
Cybersecurity Ventures, 19
Cygenta, 193 –195
D Da Veiga, Adele, 49 , 83
data
choices of, 117 –118
manual, 127
right way to use, 119
using existing, 116 –118
data leak prevention (DLP) system, 118
“Death by a Thousand Facts: Criticising the Technocratic Approach to Information Security Awareness” (Stewart and Lacey), 138
dedicated Slack channels, as activities, 110
default choice, 153
Denning, Steve (author)
The Leader's Guide to Storytelling, 143
descriptive norms, 152
dimensions
about, 63 –64
measuring, 72 –74
of security culture, 67 –71, 134 –146, 146 –147, 158
Djebbar, Kathryn, 195 –197
E e-learning, as activities, 109
email hygiene, 120
embedded bias, 156
empathy, leading with, 180 –183
employees
culture and behavior of, 79
differences in, 108 –109
groups of, 127
Engage step, in Security Culture Framework, 109 –111
engagement
of community, 208 –209
with trainings, 127
Ernst & Young, 188 –193
European Union Agency for Cybersecurity (ENISA), 98
events, as activities, 110
executive communication, improving, 14
expectations, setting, 184
experimentation, as a method of measuring culture, 121
F firewalls, 48
Fogg, BJ, 131 , 136 –138
Fogg Behavior Model, 136 –138
G games, as activities, 110
giveaways, as activities, 110
goal orientation, 54
goal state, 102
goals, setting, 103 –104
group dynamics, 60
group meetings, as activities, 109
groups, of employees, 127
H Hameed, M., 140
heuristics, 57
H-Layer Credentialing, 210
human nature, 58 , 135 , 153
human-based defense, 5 –7
human-reality focus, of security culture, 49 –50
humans, lazy nature of, 56 –60
I ideas, 66
information security culture, 45
information sharing, as a type of program focus, 32 –33
information-centric approaches, to cybersecurity, 24
insider threats, security culture dimensions and, 74
integrity, in CIA triangle, 47
International Association of Security Awareness Professionals (IASAP), 208
interrogation, as a method of measuring culture, 121 –122
interviews, as a method of measuring culture, 121 –122
Involve step, in Security Culture Framework, 106 –109
irrational nature, 55 –56, 60 –61
IT security culture, 45 –46
iterations, measuring, 126 –127
J Jaguar Land Rover, 195 –197
journey-based communication, 178
journey/conversation mindset, 178 –179
“just-in-time” training, 139
K KAB model (knowledge, attitude, and behavior model), 133 –134
Kahneman, Daniel (scientist)
about, 55
on thinking fast, 57
on thinking slow, 57
KB4-CON, 208
Kelvin, Lord, 113
knowledge, 133 –134
knowledge-intention-behavior gap, 29 –30, 69 , 158
Kong, Dejun “Tony,” 86 –87
L Lacey, D.
“Death by a Thousand Facts: Criticising the Technocratic Approach to Information Security Awareness,” 138
laziness, of humans, 56 –60
The Leader's Guide to Storytelling (Denning), 143 learning
lifelong, 209 –210
teaching and, 110 –111
Leckie, Michael, 87 –94
LinkedIn, 208
live demonstrations, as activities, 109
long-term goals, 103
lunch-and-learns, as activities, 109
M Majewski, Mark, 200 –202
manual data, 127
maturity, building and modeling, 161 –174
McAlaney, John (thought leader), 82 –86
Measure step, in Security Culture Framework, 101 –106
57 metrics
combining, 123 –124
multiple, 124 –125
using, 185
Meyer, Erin, 140 –141
Misbehaving: The Making of Behavioral Economics (Thaler), 55 moamin.com, 203 –205
Mulally, Alan, 81
Muma College of Business, 86 –87
N Nadella, Satya, 94
National Cybersecurity Alliance, 208 –209
nature, irrational, 55 –56, 60 –61
newsletters, as activities, 110
norms
advantages and disadvantages of using, 151 –152
as a dimension of security culture, 68 , 70 , 143 –144
Nudge (Thaler and Sunstein), 136
O Oberlander, Ron, 93
observation, as a method of measuring culture, 120
organizational culture, security culture as a part of, 61 –62
overconfidence, 11 –12
P Panaretos, Alexandra (thought leader), 188 –193
people, importance of, 20 –22
Petrič, Gregor, 67 , 114 –115, 151
phishing assessments, as activities, 109
phish-prone percentage, 126
planning
about, 157
awareness, 159
behavior, 159
building a robust program, 174
building and modeling maturity, 161 –174
culture, 159
culture carriers, 160
importance of, 152 –153
overview, 158
viewing through employee eyes, 159 –160
policy enforcement, 142
posters, as activities, 110
practitioner perspective, of security culture, 65 –66
program focus, types of, 31 –33
Programmatic Security Awareness & Behavior (level 3) level, of Security Culture Maturity Model (SCMM), 166 –167
PYXIS Culture Technologies Limited, 78 –82
R ransomware, 19 , 23
relationship management, 142
responsibilities, as a dimension of security culture, 68 , 71 , 144 –146
risk, 14
Robert, Stephen Allen, 67
Roberts, 134
Rock Central, 200 –202
Roer, Kai, 49 , 97 –98, 114 –115
S safety culture, 42 –43, 44
SANS MGT433: Managing Human Risk: Mature Security Awareness Programs course, 210
Sans Security Awareness Professional (SSAP), 210
SANS Security Awareness Summits, 209
Schein, Edgar, 88 , 90
S-curves, 36 –37
security ambassadors, 141
security awareness
about, 3 , 17 –18
building, 37 –38
compared with security culture, 65
connecting with behavior and culture, 115 –116
realities of, 31 , 154 –155, 158
Security Awareness and Culture Professional (SACP) certification, 210
Security Awareness Foundation (level 2) level, of Security Culture Maturity Model (SCMM), 165 –166
Security Awareness Proficiency Assessment (SAPA), 171 –172
Security Behavior Management (level 4) level, of Security Culture Maturity Model (SCMM), 167 –168
security champions, 141 , 197 –200
security culture
about, 1 , 3 –4, 8 –9, 41
actions, 197
Amin on, 203 –205
Barker on, 193 –195
as a board-level concern, 13 –25
Childress on, 78 –82
compared with safety culture, 44
compared with security awareness, 65
components of, 63 –75
as a critical priority, 22 –24
defined, 66 –67
definitions of, 9 –11, 64
dimensions of, 67 –71, 72 –74, 134 –146, 146 –147, 158
Djebbar on, 195 –197
evolution of, 46 –50
importance of, 4 –8, 20 –22, 27 –28
Kong on, 86 –87
Majewski on, 200 –202
management of, 174
McAlaney on, 82 –86
measuring, 24 , 50 , 113 –128
Panaretos on, 188 –193
as a part of organizational culture, 61 –62
resistance to, 132
shaping, as a type of program focus, 32 –33
terminology, 44 –46
Security Culture Framework
about, 97 –99, 158
analyzing results, 105 –106
benefits of using, 111 –112
Leckie on, 87 –94
steps in, 99 –111
Security Culture Maturity Model (SCMM)
about, 33 –36, 161 –174
S-curves, 36 –37
value of, 37
Security Culture Survey
A/B testing, 122 –123
about, 71 –72, 113 –114, 160
combining metrics, 123 –124
completion rates, 127 –128
history of, 114 –115
measuring iterations, 126 –127
methods of measuring culture, 119 –122
multiple metrics, single score, 124 –125
right way to use data, 119
trends, 125 –126
using existing data, 116 –118
Security Culture Survey (SCS) scores, 171 –172
security information and event management (SIEM) system, 118
security liaisons, 160
short-term goals, 104
Silverback Partners, 87 –94
social behaviors, 66
social pressures, power of, 59 –60
social sciences, critical concepts from the, 53 –62
Stewart, G.
“Death by a Thousand Facts: Criticising the Technocratic Approach to Information Security Awareness,” 138
stories, 179 –180
Sunstein, C. R.
support, gaining and maintaining, 177 –185
surveys
as activities, 110
as a method of measuring culture, 121 –122
Sustainable Security Culture (level 5) level, of Security Culture Maturity Model (SCMM), 168 –169
Swisher, George, 91
System 1 thinking, 57
System 2 thinking, 57
T tailgating, 120
teaching, learning and, 110 –111
technology focus, of security culture, 47 –48
technology-based defenses, 5 –7
technology-centric approaches, to cybersecurity, 24
text message reminders, as activities, 110
Thaler, Richard
on default choice, 153
Misbehaving: The Making of Behavioral Economics, 55 Nudge, 136
thinking fast, 57
thinking slow, 57
Thon, Roar, 49
thought leaders
about, 77 –78, 187 –188
Amin, Mo, 203 –205
Barker, Jessica, 193 –195
Childress, John R., 78 –82
Djebbar, Kathryn, 195 –197
Kong, Dejun “Tony,” 86 –87
87 –94Majewski, Mark, 200 –202
McAlaney, John, 82 –86
Panaretos, Alexandra, 188 –193
Zink, Lauren, 197 –200
to-be state, 102
traditional awareness programs, 17 –18
trainings, engagement with, 127
transformation, foundations of, 27 –38
Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors (Carpenter), 28 –33, 131 , 137 , 159 trends, 125 –126
Tversky, Amos (scientist), 55
U unauthorized services, normalized use of, 73
University of South Florida, 86 –87
V Verizon's Data Breach Investigation Report (DBIR), 8
videos, as activities, 109
W Wallaert, Matt, 131
weaknesses, mitigating, 60 –61
websites
H-Layer Credentialing, 210
International Association of Security Awareness Professionals (IASAP), 208
KB4-CON, 208
LinkedIn, 208
National Cybersecurity Alliance, 209
SANS MGT433: Managing Human Risk: Mature Security Awareness Programs course, 210
SANS Security Awareness Summits, 209
Z zero deaths, 42
Zink, Lauren, 197 –200
..................Content has been hidden....................
You can't read the all page of ebook, please click
here login for view all page.
