Description
Book SynopsisStopping Losses from Accidental and Malicious Actions
Around the world, users cost organizations billions of dollars due to simple errors and malicious actions. They believe that there is some deficiency in the users. In response, organizations believe that they have to improve their awareness efforts and making more secure users. This is like saying that coalmines should get healthier canaries. The reality is that it takes a multilayered approach that acknowledges that users will inevitably make mistakes or have malicious intent, and the failure is in not planning for that. It takes a holistic approach to assessing risk combined with technical defenses and countermeasures layered with a security culture and continuous improvement. Only with this kind of defense in depth can organizations hope to prevent the worst of the cybersecurity breaches and other user-initiated losses.
Using lessons from tested and proven disciplines like military kill-chain analys
Table of Contents
Forword xiii
Introduction xxvii
I Stopping Stupid is Your Job 1
1 Failure: The Most Common Option 3
History is Not on the Users’ Side 4
Today’s Common Approach 6
Operational and Security Awareness 6
Technology 7
Governance 8
We Propose a Strategy, Not Tactics 9
2 Users Are Part of the System 11
Understanding Users’ Role in the System 11
Users Aren’t Perfect 13
“Users” Refers to Anyone in Any Function 13
Malice is an Option 14
What You Should Expect from Users 15
3 What is User-Initiated Loss? 17
Processes 18
Culture 20
Physical Losses 22
Crime 24
User Malice 25
Social Engineering 27
User Error 28
Inadequate Training 29
Technology Implementation 30
Design and Maintenance 31
User Enablement 32
Shadow IT 33
Confusing Interfaces 35
UIL is Pervasive 35
II Foundational Concepts 37
4 Risk Management 39
Death by 1,000 Cuts 40
The Risk Equation 41
Value 43
Threats 47
Vulnerabilities 48
Countermeasures 54
Risk Optimization 60
Risk and User-Initiated Loss 63
5 The Problems with Awareness Efforts 65
Awareness Programs Can Be Extremely Valuable 65
Check-the-Box Mentality 66
Training vs Awareness 68
The Compliance Budget 68
Shoulds vs Musts 70
When It’s Okay to Blame the User 72
Awareness Programs Do Not Always Translate into Practice 74
Structural Failings of Awareness Programs 75
Further Considerations 77
6 Protection, Detection, and Reaction 79
Conceptual Overview 80
Protection 81
Detection 82
Reaction 84
Mitigating a Loss in Progress 86
Mitigating Future Incidents 87
Putting It All Together 88
7 Lessons from Safety Science 89
The Limitations of Old-School Safety Science 91
Most UIL Prevention Programs Are Old-School 93
The New School of Safety Science 94
Putting Safety Science to Use 96
Safety Culture 97
The Need to Not Remove All Errors 98
When to Blame Users 100
We Need to Learn from Safety Science 100
8 Applied Behavioral Science 103
The ABCs of Behavioral Science 105
Antecedents 106
Behaviors 111
Consequences 112
Engineering Behavior vs Influencing Behavior 120
9 Security Culture and Behavior 123
ABCs of Culture 125
Types of Cultures 127
Subcultures 130
What is Your Culture? 132
Improving Culture 133
Determining a Finite Set of Behaviors to Improve 134
Behavioral Change Strategies 135
Traditional Project Management 137
Change Management 137
Is Culture Your Ally? 138
10 User Metrics 141
The Importance of Metrics 141
The Hidden Cost of Awareness 142
Types of Awareness Metrics 143
Compliance Metrics 144
Engagement Metrics 145
Behavioral Improvement 147
Tangible ROI 149
Intangible Benefits 149
Day 0 Metrics 150
Deserve More 151
11 The Kill Chain 153
Kill Chain Principles 154
The Military Kill Chain 154
The Cyber Kill Chain and Defense in Depth 155
Deconstructing the Cyber Kill Chain 157
Phishing Kill Chain Example 159
Other Models and Frameworks 162
Applying Kill Chains to UIL 164
12 Total Quality Management Revisited 167
TQM: In Search of Excellence 168
Exponential Increase in Errors 169
Principles of TQM 171
What Makes TQM Fail? 172
Other Frameworks 174
Product Improvement and Management 177
Kill Chain for Process Improvement 178
COVID-19 Remote Workforce Process Activated 178
Applying Quality Principles 179
III Counter measures 181
13 Governance 183
Defining the Scope of Governance for Our Purposes 184
Operational Security or Loss Mitigation 185
Physical Security 186
Personnel Security 186
Traditional Governance 187
Policies, Procedures, and Guidelines 188
In the Workplace 190
Security and the Business 191
Analyzing Processes 192
Grandma’s House 194
14 Technical Countermeasures 197
Personnel Countermeasures 199
Background Checks 200
Continuous Monitoring 201
Employee Management Systems 201
Misuse and Abuse Detection 202
Data Leak Prevention 203
Physical Countermeasures 203
Access Control Systems 203
Surveillance and Safety Systems 204
Point-of-Sale Systems 206
Inventory Systems and Supply Chains 207
Computer Tracking Systems 207
Operational Countermeasures 208
Accounting Systems 209
Customer Relationship Management 210
Operational Technology 210
Workflow Management 211
Cybersecurity Countermeasures 212
The 20 CIS Controls and Resources 212
Anti-malware Software 213
Whitelisting 214
Firewalls 214
Intrusion Detection/Prevention Systems 215
Managed Security Services 215
Backups 215
Secure Configurations 216
Automated Patching 216
Vulnerability Management Tools 217
Behavioral Analytics 217
Data Leak Prevention 218
Web Content Filters/Application Firewalls 218
Wireless and Remote Security 219
Mobile Device Management 219
Multifactor Authentication 220
Single Sign-On 221
Encryption 221
Nothing is Perfect 223
Putting It All Together 223
15 Creating Effective Awareness Programs 225
What is Effective Awareness? 226
Governance as the Focus 227
Where Awareness Strategically Fits in the Organization 229
The Goal of Awareness Programs 230
Changing Culture 231
Defining Subcultures 232
Interdepartmental Cooperation 233
The Core of All Awareness Efforts 234
Process 235
Business Drivers 237
Culture and Communication Tools 238
Putting It Together 245
Metrics 246
Gamification 246
Gamification Criteria 247
Structuring Gamification 248
Gamification is Not for Everyone 248
Getting Management’s Support 249
Awareness Programs for Management 249
Demonstrate Clear Business Value 250
Enforcement 250
Experiment 251
IV Applying Boom 253
16 Start with Boom 255
What Are the Actions That Initiate UIL? 257
Start with a List 257
Order the List 258
Metrics 259
Governance 260
User Experience 261
Prevention and Detection 262
Awareness 263
Feeding the Cycle 263
Stopping Boom 264
17 Right of Boom 265
Repeat as Necessary 266
What Does Loss Initiation Look Like? 267
What Are the Potential Losses? 268
Preventing the Loss 272
Compiling Protective Countermeasures 273
Detecting the Loss 274
Before, During, and After 275
Mitigating the Loss 276
Determining Where to Mitigate 277
Avoiding Analysis Paralysis 278
Your Last Line of Defense 278
18 Preventing Boom 279
Why Are We Here? 280
Reverse Engineering 281
Governance 283
Awareness 284
Technology 285
Step-by-Step 287
19 Determining the Most Effective Countermeasures 289
Early Prevention vs Response 290
Start with Governance 292
Understand the Business Goal 293
Start Left of Boom 294
Consider Technology 295
Prioritize Potential Loss 296
Define Governance Thoroughly 297
Matrix Technical Countermeasures 299
Creating the Matrix 300
Define Awareness 301
It’s Just a Start 302
20 Implementation Considerations 303
You’ve Got Issues 304
Weak Strategy 304
Resources, Culture, and Implementation 305
Lack of Ownership and Accountability 307
One Effort at a Time 308
Change Management 308
Adopting Changes 309
Governance, Again 314
Business Case for a Human Security Officer 315
It Won’t Be Easy 316
21 If You Have Stupid Users, You Have a Stupid System 317
A User Should Never Surprise You 317
Perform Some More Research 318
Start Somewhere 319
Take Day Zero Metrics 320
UIL Mitigation is a Living Process 320
Grow from Success 321
The Users Are Your Canary in the Mine 322
Index 325
