You CAN Stop Stupid

Ira Winkler, CISSP, is President of Secure Mentem and is widely viewed as one of the world's most influential security professionals. Ira is the recipient of several prestigious industry awards, including being named "The Awareness Crusader" by CSO magazine in receiving their CSO COMPASS Award. Dr. Tracy Celaya Brown, CISSP, is President of Go Consulting International. She is a sought-after consultant in IT Security Program Management, Organizational Development, and Change Management.

Forword xiii

Introduction xxvii

I Stopping Stupid is Your Job 1

1 Failure: The Most Common Option 3

History is Not on the Users’ Side 4

Today’s Common Approach 6

Operational and Security Awareness 6

Technology 7

Governance 8

We Propose a Strategy, Not Tactics 9

2 Users Are Part of the System 11

Understanding Users’ Role in the System 11

Users Aren’t Perfect 13

“Users” Refers to Anyone in Any Function 13

Malice is an Option 14

What You Should Expect from Users 15

3 What is User-Initiated Loss? 17

Processes 18

Culture 20

Physical Losses 22

Crime 24

User Malice 25

Social Engineering 27

User Error 28

Inadequate Training 29

Technology Implementation 30

Design and Maintenance 31

User Enablement 32

Shadow IT 33

Confusing Interfaces 35

UIL is Pervasive 35

II Foundational Concepts 37

4 Risk Management 39

Death by 1,000 Cuts 40

The Risk Equation 41

Value 43

Threats 47

Vulnerabilities 48

Countermeasures 54

Risk Optimization 60

Risk and User-Initiated Loss 63

5 The Problems with Awareness Efforts 65

Awareness Programs Can Be Extremely Valuable 65

Check-the-Box Mentality 66

Training vs Awareness 68

The Compliance Budget 68

Shoulds vs Musts 70

When It’s Okay to Blame the User 72

Awareness Programs Do Not Always Translate into Practice 74

Structural Failings of Awareness Programs 75

Further Considerations 77

6 Protection, Detection, and Reaction 79

Conceptual Overview 80

Protection 81

Detection 82

Reaction 84

Mitigating a Loss in Progress 86

Mitigating Future Incidents 87

Putting It All Together 88

7 Lessons from Safety Science 89

The Limitations of Old-School Safety Science 91

Most UIL Prevention Programs Are Old-School 93

The New School of Safety Science 94

Putting Safety Science to Use 96

Safety Culture 97

The Need to Not Remove All Errors 98

When to Blame Users 100

We Need to Learn from Safety Science 100

8 Applied Behavioral Science 103

The ABCs of Behavioral Science 105

Antecedents 106

Behaviors 111

Consequences 112

Engineering Behavior vs Influencing Behavior 120

9 Security Culture and Behavior 123

ABCs of Culture 125

Types of Cultures 127

Subcultures 130

What is Your Culture? 132

Improving Culture 133

Determining a Finite Set of Behaviors to Improve 134

Behavioral Change Strategies 135

Traditional Project Management 137

Change Management 137

Is Culture Your Ally? 138

10 User Metrics 141

The Importance of Metrics 141

The Hidden Cost of Awareness 142

Types of Awareness Metrics 143

Compliance Metrics 144

Engagement Metrics 145

Behavioral Improvement 147

Tangible ROI 149

Intangible Benefits 149

Day 0 Metrics 150

Deserve More 151

11 The Kill Chain 153

Kill Chain Principles 154

The Military Kill Chain 154

The Cyber Kill Chain and Defense in Depth 155

Deconstructing the Cyber Kill Chain 157

Phishing Kill Chain Example 159

Other Models and Frameworks 162

Applying Kill Chains to UIL 164

12 Total Quality Management Revisited 167

TQM: In Search of Excellence 168

Exponential Increase in Errors 169

Principles of TQM 171

What Makes TQM Fail? 172

Other Frameworks 174

Product Improvement and Management 177

Kill Chain for Process Improvement 178

COVID-19 Remote Workforce Process Activated 178

Applying Quality Principles 179

III Counter measures 181

13 Governance 183

Defining the Scope of Governance for Our Purposes 184

Operational Security or Loss Mitigation 185

Physical Security 186

Personnel Security 186

Traditional Governance 187

Policies, Procedures, and Guidelines 188

In the Workplace 190

Security and the Business 191

Analyzing Processes 192

Grandma’s House 194

14 Technical Countermeasures 197

Personnel Countermeasures 199

Background Checks 200

Continuous Monitoring 201

Employee Management Systems 201

Misuse and Abuse Detection 202

Data Leak Prevention 203

Physical Countermeasures 203

Access Control Systems 203

Surveillance and Safety Systems 204

Point-of-Sale Systems 206

Inventory Systems and Supply Chains 207

Computer Tracking Systems 207

Operational Countermeasures 208

Accounting Systems 209

Customer Relationship Management 210

Operational Technology 210

Workflow Management 211

Cybersecurity Countermeasures 212

The 20 CIS Controls and Resources 212

Anti-malware Software 213

Whitelisting 214

Firewalls 214

Intrusion Detection/Prevention Systems 215

Managed Security Services 215

Backups 215

Secure Configurations 216

Automated Patching 216

Vulnerability Management Tools 217

Behavioral Analytics 217

Data Leak Prevention 218

Web Content Filters/Application Firewalls 218

Wireless and Remote Security 219

Mobile Device Management 219

Multifactor Authentication 220

Single Sign-On 221

Encryption 221

Nothing is Perfect 223

Putting It All Together 223

15 Creating Effective Awareness Programs 225

What is Effective Awareness? 226

Governance as the Focus 227

Where Awareness Strategically Fits in the Organization 229

The Goal of Awareness Programs 230

Changing Culture 231

Defining Subcultures 232

Interdepartmental Cooperation 233

The Core of All Awareness Efforts 234

Process 235

Business Drivers 237

Culture and Communication Tools 238

Putting It Together 245

Metrics 246

Gamification 246

Gamification Criteria 247

Structuring Gamification 248

Gamification is Not for Everyone 248

Getting Management’s Support 249

Awareness Programs for Management 249

Demonstrate Clear Business Value 250

Enforcement 250

Experiment 251

IV Applying Boom 253

16 Start with Boom 255

What Are the Actions That Initiate UIL? 257

Start with a List 257

Order the List 258

Metrics 259

Governance 260

User Experience 261

Prevention and Detection 262

Awareness 263

Feeding the Cycle 263

Stopping Boom 264

17 Right of Boom 265

Repeat as Necessary 266

What Does Loss Initiation Look Like? 267

What Are the Potential Losses? 268

Preventing the Loss 272

Compiling Protective Countermeasures 273

Detecting the Loss 274

Before, During, and After 275

Mitigating the Loss 276

Determining Where to Mitigate 277

Avoiding Analysis Paralysis 278

Your Last Line of Defense 278

18 Preventing Boom 279

Why Are We Here? 280

Reverse Engineering 281

Governance 283

Awareness 284

Technology 285

Step-by-Step 287

19 Determining the Most Effective Countermeasures 289

Early Prevention vs Response 290

Start with Governance 292

Understand the Business Goal 293

Start Left of Boom 294

Consider Technology 295

Prioritize Potential Loss 296

Define Governance Thoroughly 297

Matrix Technical Countermeasures 299

Creating the Matrix 300

Define Awareness 301

It’s Just a Start 302

20 Implementation Considerations 303

You’ve Got Issues 304

Weak Strategy 304

Resources, Culture, and Implementation 305

Lack of Ownership and Accountability 307

One Effort at a Time 308

Change Management 308

Adopting Changes 309

Governance, Again 314

Business Case for a Human Security Officer 315

It Won’t Be Easy 316

21 If You Have Stupid Users, You Have a Stupid System 317

A User Should Never Surprise You 317

Perform Some More Research 318

Start Somewhere 319

Take Day Zero Metrics 320

UIL Mitigation is a Living Process 320

Grow from Success 321

The Users Are Your Canary in the Mine 322

Index 325