Author: Perry Carpenter, Kai Roer
Overall: Worth reading!
I haven’t found a lot of books talking about security awareness — from either the content or administration side, and that’s a shame. There’s a glut of technical books, and a sprinkle of business books, but very little on the teaching side. Comparatively, I haven’t seen as many awareness vendors as I have, say, vulnerability management vendors. Most offer some kind of phishing test platform, which makes sense. As much as everyone hates them, phishing tests are an oft-repeated security control of choice. As practitioners, we don’t really have another option to offer, either. If you don’t do phishing tests and training videos, what are you doing to address training and awareness?
Like many, I picked this up during a Humble Bundle deal.
Chapter 2 addresses an obvious question: Breaches exist, so how effective is what we’re doing? Spoiler alert: It’s not.
The rest of the book is an exercise in moving the needle from where we’re at to a perfect awareness utopia.
That starts with convincing the powers-that-be to invest the required resources. They’re business people and understand the concept of continuous improvement and the Toyota process. I’ve had seven classes out of 18 in my MBA so far; six of them have mentioned Toyota.
Chapter 3 dives into what exactly is going wrong with how programs run now. Carpenter describes his knowledge-intention-behavior gap, and that’s exactly as it sounds. Just because we give people information (don’t click the thing!) doesn’t guarantee that they’re going to remember or apply the information (clicks the thing anyway). Be honest: How are those new year resolutions going to go?
Chapter 4 defines terms. I liked the lessons learned from safety culture but I’m already convinced safety and security need to work together. I’m also a huge fan of context; here, the greater context is the timeline of industrial safety. The oil and gas business industry didn’t emerge with regulations in place. It took decades for public sentiment to think workplace accidents should be the exception instead of the norm; it took more decades to develop standards and teach people new ways of working. The industry is solidly in the middle of this cycle.
Chapter 6 gets into measurable areas with which to work. Specifically, how does security affect the behaviors and values of a specific group of people? Humans are dumb, panicky animals and we want to do what the group is doing. If it’s socially acceptable to click the thing, more people will click the thing. (Alternatively: Wear a mask during a pandemic.) Importantly, if practitioners want compliance with policies, practitioners need to provide the structure needed to support compliance. Chapter 9 is more metrics and how to measure something as fuzzy as culture.
Chapter 8 sets up Yet Another Framework. It works, as there are many suggestions on how to engage those that the practitioners wish to train. Only one of these options is phishing tests. Others include newsletters, giveaways, games, and events. In other words, get out there, and get marketing.
The rest of the book combines marketing concepts and How To Win Friends and Influence People. Getting people to not click the thing certainly requires a dash of both. Security has to meet people where they are in order to lead them to where we want them to be; as always, there’s nothing for it but to do it. Unfortunately, it’s not an area technology can program its way out of this time.
Cyber security Story teller 
Leave a comment