You CAN Stop Stupid - Stopping Losses from Accidental and Malicious Actions

Forword xiii Introduction xxvii I Stopping Stupid is Your Job 1 1 Failure: The Most Common Option 3 History is Not on the Users' Side 4 Today's Common Approach 6 Operational and Security Awareness 6 Technology 7 Governance 8 We Propose a Strategy, Not Tactics 9 2 Users Are Part of the System 11 Understanding Users' Role in the System 11 Users Aren't Perfect 13 Users Refers to Anyone in Any Function 13 Malice is an Option 14 What You Should Expect from Users 15 3 What is User-Initiated Loss? 17 Processes 18 Culture 20 Physical Losses 22 Crime 24 User Malice 25 Social Engineering 27 User Error 28 Inadequate Training 29 Technology Implementation 30 Design and Maintenance 31 User Enablement 32 Shadow IT 33 Confusing Interfaces 35 UIL is Pervasive 35 II Foundational Concepts 37 4 Risk Management 39 Death by 1,000 Cuts 40 The Risk Equation 41 Value 43 Threats 47 Vulnerabilities 48 Countermeasures 54 Risk Optimization 60 Risk and User-Initiated Loss 63 5 The Problems with Awareness Efforts 65 Awareness Programs Can Be Extremely Valuable 65 Check-the-Box Mentality 66 Training vs Awareness 68 The Compliance Budget 68 Shoulds vs Musts 70 When It's Okay to Blame the User 72 Awareness Programs Do Not Always Translate into Practice 74 Structural Failings of Awareness Programs 75 Further Considerations 77 6 Protection, Detection, and Reaction 79 Conceptual Overview 80 Protection 81 Detection 82 Reaction 84 Mitigating a Loss in Progress 86 Mitigating Future Incidents 87 Putting It All Together 88 7 Lessons from Safety Science 89 The Limitations of Old-School Safety Science 91 Most UIL Prevention Programs Are Old-School 93 The New School of Safety Science 94 Putting Safety Science to Use 96 Safety Culture 97 The Need to Not Remove All Errors 98 When to Blame Users 100 We Need to Learn from Safety Science 100 8 Applied Behavioral Science 103 The ABCs of Behavioral Science 105 Antecedents 106 Behaviors 111 Consequences 112 Engineering Behavior vs Influencing Behavior 120 9 Security Culture and Behavior 123 ABCs of Culture 125 Types of Cultures 127 Subcultures 130 What is Your Culture? 132 Improving Culture 133 Determining a Finite Set of Behaviors to Improve 134 Behavioral Change Strategies 135 Traditional Project Management 137 Change Management 137 Is Culture Your Ally? 138 10 User Metrics 141 The Importance of Metrics 141 The Hidden Cost of Awareness 142 Types of Awareness Metrics 143 Compliance Metrics 144 Engagement Metrics 145 Behavioral Improvement 147 Tangible ROI 149 Intangible Benefits 149 Day 0 Metrics 150 Deserve More 151 11 The Kill Chain 153 Kill Chain Principles 154 The Military Kill Chain 154 The Cyber Kill Chain and Defense in Depth 155 Deconstructing the Cyber Kill Chain 157 Phishing Kill Chain Example 159 Other Models and Frameworks 162 Applying Kill Chains to UIL 164 12 Total Quality Management Revisited 167 TQM: In Search of Excellence 168 Exponential Increase in Errors 169 Principles of TQM 171 What Makes TQM Fail? 172 Other Frameworks 174 Product Improvement and Management 177 Kill Chain for Process Improvement 178 COVID-19 Remote Workforce Process Activated 178 Applying Quality Principles 179 III Counter measures 181 13 Governance 183 Defining the Scope of Governance for Our Purposes 184 Operational Security or Loss Mitigation 185 Physical Security 186 Personnel Security 186 Traditional Governance 187 Policies, Procedures, and Guidelines 188 In the Workplace 190 Security and the Business 191 Analyzing Processes 192 Grandma's House 194 14 Technical Countermeasures 197 Personnel Countermeasures 199 Background Checks 200 Continuous Monitoring 201 Employee Management Systems 201 Misuse and Abuse Detection 202 Data Leak Prevention 203 Physical Countermeasures 203 Access Control Systems 203 Surveillance and Safety Systems 204 Point-of-Sale Systems 206 Inventory Systems and Supply Chains 207 Computer Tracking Systems 207 Operational Countermeasures 208 Accounting Systems 209 Customer Relationship Management 210 Operational Technology 210 Workflow Management 211 Cybersecurity Countermeasures 212 The 20 CIS Controls and Resources 212 Anti-malware Software 213 Whitelisting 214 Firewalls 214 Intrusion Detection/Prevention Systems 215 Managed Security Services 215 Backups 215 Secure Configurations 216 Automated Patching 216 Vulnerability Management Tools 217 Behavioral Analytics 217 Data Leak Prevention 218 Web Content Filters/Application Firewalls 218 Wireless and Remote Security 219 Mobile Device Management 219 Multifactor Authentication 220 Single Sign-On 221 Encryption 221 Nothing is Perfect 223 Putting It All Together 223 15 Creating Effective Awareness Programs 225 What is Effective Awareness? 226 Governance as the Focus 227 Where Awareness Strategically Fits in the Organization 229 The Goal of Awareness Programs 230 Changing Culture 231 Defining Subcultures 232 Interdepartmental Cooperation 233 The Core of All Awareness Efforts 234 Process 235 Business Drivers 237 Culture and Communication Tools 238 Putting It Together 245 Metrics 246 Gamification 246 Gamification Criteria 247 Structuring Gamification 248 Gamification is Not for Everyone 248 Getting Management's Support 249 Awareness Programs for Management 249 Demonstrate Clear Business Value 250 Enforcement 250 Experiment 251 IV Applying Boom 253 16 Start with Boom 255 What Are the Actions That Initiate UIL? 257 Start with a List 257 Order the List 258 Metrics 259 Governance 260 User Experience 261 Prevention and Detection 262 Awareness 263 Feeding the Cycle 263 Stopping Boom 264 17 Right of Boom 265 Repeat as Necessary 266 What Does Loss Initiation Look Like? 267 What Are the Potential Losses? 268 Preventing the Loss 272 Compiling Protective Countermeasures 273 Detecting the Loss 274 Before, During, and After 275 Mitigating the Loss 276 Determining Where to Mitigate 277 Avoiding Analysis Paralysis 278 Your Last Line of Defense 278 18 Preventing Boom 279 Why Are We Here? 280 Reverse Engineering 281 Governance 283 Awareness 284 Technology 285 Step-by-Step 287 19 Determining the Most Effective Countermeasures 289 Early Prevention vs Response 290 Start with Governance 292 Understand the Business Goal 293 Start Left of Boom 294 Consider Technology 295 Prioritize Potential Loss 296 Define Governance Thoroughly 297 Matrix Technical Countermeasures 299 Creating the Matrix 300 Define Awareness 301 It's Just a Start 302 20 Implementation Considerations 303 You've Got Issues 304 Weak Strategy 304 Resources, Culture, and Implementation 305 Lack of Ownership and Accountability 307 One Effort at a Time 308 Change Management 308 Adopting Changes 309 Governance, Again 314 Business Case for a Human Security Officer 315 It Won't Be Easy 316 21 If You Have Stupid Users, You Have a Stupid System 317 A User Should Never Surprise You 317 Perform Some More Research 318 Start Somewhere 319 Take Day Zero Metrics 320 UIL Mitigation is a Living Process 320 Grow from Success 321 The Users Are Your Canary in the Mine 322 Index 325