Ira Winkler - Security Awareness For Dummies

I also learned how to tell when awareness efforts were doomed to failure. More important though, I learned what works and how best to implement awareness programs.

This book shows how to implement the strategy that I found (through decades of experience) actually works. It helps you cut through hype and platitudes and begin doing what actually works. Platitudes and hype sound noble, but they are frequently misleading. Some of what I describe might go against what is considered common practice; however, you must consider that common practice has led to few improvements over decades. With that in mind, consider my perspective and determine what works best for your purposes. No guarantee exists of what will or won’t work in any given situation.

Take this insight into account as you read this book and choose your own path.

To help you choose that path and make the content more accessible, I’ve divided this book into four parts:

Part 1 , “Getting to Know Security Awareness”: An overview of the fundamental concepts and philosophies of security awareness

Part 2 , “Building a Security Awareness Program”: The building blocks of an awareness program

Part 3 , “Putting Your Security Awareness Program into Action”: Creating and implementing your program

Part 4 , “The Part of Tens”: Quick guidance for optimizing your program

The appendix provides a sample assessment questionnaire.

My fundamental assumption is that I have no assumptions except that you are interested in addressing human vulnerabilities. You may be a CISO who wants to get a handle on how to better address the most common attacks against your organization. You may run awareness programs and want to enhance your current efforts. You may have been randomly assigned to run an awareness program and have little idea where to start. Or you may simply be interested in becoming a more well-rounded cybersecurity professional. This book definitely provides a valuable addition to your knowledge base.

Regardless of your role or position in your organization, if you’re interested in addressing human vulnerabilities, you should find value in this book. I hope that you get to apply the information in a practical setting. As I finalize this manuscript, the 2021 Verizon Data Breach Investigations Report (DBIR) has been released, and it again reports that the targeting of users remains the top attack vector. It is my belief that this book can help to address this problem.

Throughout this book, icons in the margins highlight certain types of valuable information that call out for your attention. Here are the icons you encounter and a brief description of each:

The Tip icon marks tips and shortcuts you can use to make creating and running awareness programs easier.

Remember icons mark the information that’s especially important to know. Frequently, paragraphs marked with this icon reiterate information that is presented previously in the book but bears repeating in the current context.

The Technical Stuff icon marks information that is specifically practical in implementing awareness programs. It involves information specific to the execution of programs.

When you see the Warning icon, you know to watch out! This icon marks important information that may save you headaches, or at least let you know when those headaches might pop up (and why).

In addition to the abundance of information and guidance related to creating a security awareness program that we provide in this book, you gain access to even more help and information online at Dummies.com . Check out this book’s online Cheat Sheet. Just go to www.dummies.com and search for security awareness for dummies cheat sheet.

This book follows a certain flow, but — as I identify in the description of the parts of this book, and as I write in the “ Foolish Assumptions” section — you may be anywhere in the process of implementing an awareness program. For that reason, I intend for the chapters to stand alone as much as possible. Part 1of this book covers my philosophies, biases, and experience, which may help you understand the perspective of the advice I provide, but you should be able to start with any chapter that seems most relevant to you.

If you have a functional program running and want to enhance it, I recommend turning to the chapters on gamification (see Chapter 11), running phishing simulations (see Chapter 12), or metrics (see Chapter 8). Otherwise, you can skim the chapters to see which one is the most relevant to your immediate needs. You may prefer, of course, to follow the flow of the book and read from front to back.

Part 1

IN THIS PART …

See what makes security awareness work.

Avoid the pitfalls that cause security awareness programs to fail.

Get the most from what science shows about human behavior.

Chapter 1

IN THIS CHAPTER

Recognizing the importance of security awareness

Working with a security awareness program

Knowing where awareness fits within a security program

Getting why the so-called “human firewall” doesn’t work

A successful security awareness program motivates people to behave according to defined practices that decrease risk. Creating a program that successfully changes behavior throughout an organization involves more than simply communicating a bunch of facts about security awareness. Just because people are aware of a problem doesn’t mean they will act on their awareness. In other words, awareness doesn’t guarantee action. (Everyone knows that fast food isn’t the healthiest choice, but most people still eat it.) This chapter sets the foundation for understanding the issues and the solutions.

The thinking behind security awareness is that if people are aware of a problem, they’re less likely to contribute to the problem — and more likely to respond appropriately when they encounter it.

Users who are aware don’t pick up USB drives on the street and insert them into their work computers. They’re aware of their surroundings and ensure that nobody is looking over their shoulders while they’re working. They don’t connect to insecure Wi-Fi networks. They’re less likely to fall victim to phishing attacks. Essentially, users who are aware don’t initiate losses for their organizations.