Introduction
Creating security awareness among users is much more difficult and complicated than just telling them, “Bad people will try to trick you. Don’t fall for their tricks.” Not only is that advice usually insufficient, but you also have to account for much more than just bad people tricking your users. People lose
equipment. They frequently know what to do, but have competing priorities. They may just not care. Relying on the user knowing what to do is not a silver bullet that creates a true firewall. However, with the right plan and strategy, you can make a measurable difference in improving user behavior. This book puts you on the right path to creating effective security awareness programs that meaningfully reduce risk to your organization.
About This Book
I started my career in cybersecurity performing social engineering and penetration tests. I put together teams of former special forces officers and intelligence operatives, and we targeted companies as nation-states would. I focused on black bag operations, which often consist of clandestine activities such as lock picking or safecracking, and otherwise infiltrating protected facilities. I went undercover to infiltrate organizations and persuade users to give me sensitive information. These operations led to the theft of reportedly billions of dollars of information and intellectual property. (I gave it all back.)
My “victims” then had me go back to their organizations and tell the stories about what I did, as a form of security awareness. The users were mesmerized by my stories. I heard about some successes in improved awareness, but when I went back for further assessments, the reality was that no real improvement had
occurred. Just telling stories and telling people what not to do has limited impact.
Over two decades, I created and supported dozens, if not hundreds, of awareness programs for organizations of all types and sizes. I was able to see what worked best and what didn’t. I found that many of the common beliefs and strategies just didn’t work. They sounded great, but they were specious.
I also learned how to tell when awareness efforts were doomed to failure. More important though, I learned what works and how best to implement awareness programs.
This book shows how to implement the strategy that I found (through decades of experience) actually works. It helps you cut through hype and platitudes and begin doing what actually works. Platitudes and hype sound noble, but they are frequently misleading. Some of what I describe might go against what is considered common practice; however, you must consider that common practice has led to few improvements over decades. With that in mind, consider my perspective and determine what works best for your purposes. No guarantee exists of what will or won’t work in any given situation.
Take this insight into account as you read this book and choose your own path. To help you choose that path and make the content more accessible, I’ve divided this book into four parts:
»»Part 1, “Getting to Know Security Awareness”: An overview of the fundamental concepts and philosophies of security awareness
»»Part 2, “Building a Security Awareness Program”: The building blocks of an awareness program
»»Part 3, “Putting Your Security Awareness Program into Action”: Creating and implementing your program
»»Part 4, “The Part of Tens”: Quick guidance for optimizing your program The appendix provides a sample assessment questionnaire
Download & read the complete book below 👇👇👇
