Ira Winkler - Security Awareness For Dummies

Security Awareness For Dummies®

Published by: John Wiley & Sons, Inc.,111 River Street, Hoboken, NJ 07030-5774, www.wiley.com

Copyright © 2022 by John Wiley & Sons, Inc., Hoboken, New Jersey

Published simultaneously in Canada

Includes text used with permission from You CAN Stop Stupid: Stopping Losses from Accidental and Malicious Actions © 2021, John Wiley & Sons, Inc., Indianapolis, IN, authored by Ira Winkler and Tracy Celaya Brown.

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the Publisher. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions .

Trademarks:Wiley, For Dummies, the Dummies Man logo, Dummies.com, Making Everything Easier, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and may not be used without written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: WHILE THE PUBLISHER AND AUTHORS HAVE USED THEIR BEST EFFORTS IN PREPARING THIS WORK, THEY MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES REPRESENTATIVES, WRITTEN SALES MATERIALS OR PROMOTIONAL STATEMENTS FOR THIS WORK. THE FACT THAT AN ORGANIZATION, WEBSITE, OR PRODUCT IS REFERRED TO IN THIS WORK AS A CITATION AND/OR POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE PUBLISHER AND AUTHORS ENDORSE THE INFORMATION OR SERVICES THE ORGANIZATION, WEBSITE, OR PRODUCT MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING PROFESSIONAL SERVICES. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR YOUR SITUATION. YOU SHOULD CONSULT WITH A SPECIALIST WHERE APPROPRIATE. FURTHER, READERS SHOULD BE AWARE THAT WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ. NEITHER THE PUBLISHER NOR AUTHORS SHALL BE LIABLE FOR ANY LOSS OF PROFIT OR ANY OTHER COMMERCIAL DAMAGES, INCLUDING BUT NOT LIMITED TO SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR OTHER DAMAGES.

For general information on our other products and services, please contact our Customer Care Department within the U.S. at 877-762-2974, outside the U.S. at 317-572-3993, or fax 317-572-4002. For technical support, please visit https://hub.wiley.com/community/support/dummies .

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com . For more information about Wiley products, visit www.wiley.com .

Library of Congress Control Number: 2022934265

ISBN 978-1-119-72092-8 (pbk); ISBN 978-1-119-72093-5 (ePDF); ISBN 978-1-119-72094-2 (epub)

1 Cover

2 Title Page

3 Copyright

4 Introduction About This Book Foolish Assumptions Icons Used in This Book Beyond the Book Where to Go from Here

5 Part 1: Getting to Know Security Awareness Chapter 1: Knowing How Security Awareness Programs Work Understanding the Benefits of Security Awareness Knowing How Security Awareness Programs Work Recognizing the Role of Awareness within a Security Program Disputing the Myth of the Human Firewall Chapter 2: Starting On the Right Foot: Avoiding What Doesn’t Work Making a Case Beyond Compliance Standards Treating Compliance as a Must Limiting the Popular Awareness Theories Distinguishing Social Engineering from Security Awareness Addressing Mental Models That Don’t Work Making Perfection the Stated Goal Measuring from the Start Prioritizing Program Over Product Choosing Substance Over Style Understanding the Role of Security Awareness Chapter 3: Applying the Science Behind Human Behavior and Risk Management Achieving Common Sense through Common Knowledge Borrowing Ideas from Safety Science Applying Accounting Practices to Security Awareness Applying the ABCs of Awareness Benefiting from Group Psychology Remembering That It’s All About Risk

6 Part 2: Building a Security Awareness Program Chapter 4: Creating a Security Awareness Strategy Identifying the Components of an Awareness Program Figuring Out How to Pay for It All Chapter 5: Determining Culture and Business Drivers Understanding Your Organization’s Culture Identifying Subcultures Interviewing Stakeholders Partnering with Other Departments Chapter 6: Choosing What to Tell The Users Basing Topics on Business Drivers Incorporating Personal Awareness Topics Motivating Users to Do Things “Right” Common Topics Covered in Security Awareness Programs Chapter 7: Choosing the Best Tools for the Job Identifying Security Ambassadors Knowing the Two Types of Communications Tools Exploring Your Communications Arsenal Chapter 8: Measuring Performance Knowing the Hidden Cost of Awareness Efforts Meeting Compliance Requirements Collecting Engagement Metrics Measuring Improved Behavior Demonstrating a Tangible Return on Investment Recognizing Intangible Benefits of Security Awareness Knowing Where You Started: Day 0 Metrics

7 Part 3: Putting Your Security Awareness Program Into Action Chapter 9: Assembling Your Security Awareness Program Knowing Your Budget Choosing to Implement One Program or Multiple Programs Gaining Support from Management Devising a Quarterly Delivery Strategy Deciding Whether to Include Phishing Simulations Planning Which Metrics to Collect and When Branding Your Security Awareness Program Chapter 10: Running Your Security Awareness Program Nailing the Logistics Getting All Required Approvals Getting the Most from Day 0 Metrics Creating Meaningful Reports Reevaluating Your Program Redesigning Your Program Considering Breaking News and Incidents Chapter 11: Implementing Gamification Understanding Gamification Identifying the Four Attributes of Gamification Figuring Out Where to Gamify Awareness Examining Some Tactical Gamification Examples Putting Together a Gamification Program Promoting the Program Chapter 12: Running Phishing Simulation Campaigns Knowing Why Phishing Simulations Matter Setting Goals for Your Phishing Program Planning a Phishing Program Choosing a Phishing Tool Implementing a Phishing Simulation Program Running a Phishing Simulation Tracking Metrics and Identifying Trends Dealing with Repeat Offenders Management Reporting

8 Part 4: The Part of Tens Chapter 13: Ten Ways to Win Support for Your Awareness Program Finding Yourself a Champion