Managing The Human Factor In Information Security

DESCRIPTION

With the growth in social networking and the potential for larger and larger breaches of sensitive data,it is vital for all enterprises to ensure that computer users adhere to corporate policy and project staff design secure systems. Written by a security expert with more than 25 years' experience, this book examines how fundamental staff awareness is to establishing security and addresses such challenges as containing threats, managing politics, developing programs, and getting a business to buy into a security plan. Illustrated with real-world examples throughout, this is a must-have guide for security and IT professionals.

Table of Contents

Acknowledgements.

Foreword.

Introduction.

Chapter 1: Power to the people.

The power is out there - somewhere.
An information rich world.
When in doubt, phone a friend.
Engage with the public.
The power of the blogosphere.
The future of news.
Leveraging new ideas.
Changing the way we live.
Transforming the political landscape.
Network effects in business.
Being there.
Value in the digital age.
Hidden value in networks.
Network innovations create security challenges.
You ve been de-perimeterized!
The collapse of information management.
The shifting focus of information security.
The external perspective.
A new world of openness.
A new age of collaborative working.
Collaboration oriented architecture.
Business in virtual worlds.
Democracy-but not as we know it.
Don t lock down that network.
The future of network security.
Can we trust the data?
The art of disinformation.
The future of knowledge.
The next big security concern.
Learning from networks.

Chapter 2: Everyone makes a difference.

Where to focus your efforts.
The view from the bridge.
The role of the executive board.
The new threat of data leakage.
The perspective of business management.
The role of the business manager.
Engaging with business managers.
The role of the IT function.
Minding your partners.
Computer users.
Customers and citizens.
Learning from stakeholders.

Chapter 3: There s no such thing as an isolated incident.
What lies beneath?
Accidents waiting to happen.
No system is foolproof.
Visibility is the key.
A lesson from the safety field.
Everyone makes mistakes.
The science of error prevention.
Swiss cheese and security.
How significant was that event?
Events are for the record.
When an event becomes an incident.
The immediacy of emergencies.
When disaster strikes.
When events spiral out of control.
How the response process changes.
No two crises are the same.
One size doesn t fit all.
The limits of planning.
Some assets are irreplaceable.
It s the process, not the plan.
Why crisis management is hard.
Skills to manage a crisis.
Dangerous detail.
The missing piece of the jigsaw.
Establish the real cause.
Are you incubating a crisis?
When crisis management becomes the problem.
Developing crisis strategy.
Turning threats into opportunities.
Boosting market capitalization.
Anticipating events.
Anticipating opportunities.
Designing crisis team structures.
How many teams?
Who takes the lead?
Ideal team dynamics.
Multi-agency teams.
The perfect environment.
The challenge of the virtual environment.
Protocols for virtual team working.
Exercising the crisis team.
Learning from incidents.

Chapter 4: Zen and the art of risk management.

East meets West.
The nature of risks.
Who invented risk management?
We could be so lucky.
Components of risk.
Gross or net risk?
Don t lose sight of business.
How big is your appetite?
It s an emotional thing.
In the eye of the beholder.
What risk was that?
Living in the past.
Who created that risk?
It s not my problem.
Size matters.
Getting your sums right.
Some facts are counter-intuitive.
The loaded dice.
The answer is 42.
It s just an illusion.
Context is king.
Perception and reality.
It s a relative thing.
Risk, what risk?
Something wicked this way comes.
The black swan.
Double jeopardy.
What type of risk?
Lessons from the process industries.
Lessons from cost engineering.
Lessons from the financial sector.
Lessons from the insurance field.
The limits of percentage play.
Operational risk.
Joining up risk management.
General or specific?
Identifying and ranking risks.
Using checklists.
Categories of risks.
It s a moving target.
Comparing and ranking risks.
Risk management strategies.
Communicating risk appetite.
Risk management maturity.
There s more to security than risk.
It s a decision support tool.
The perils of risk assessment.
Learning from risk management.

Chapter 5: Who can you trust?

An asset or a liability?
People are different.
The rule of four.
The need to conform.
Understand your enemies.
The face of the enemy.
Run silent, run deep.
Dreamers and charmers.
The unfashionable hacker.
The psychology of scams.
Visitors are welcome.
Where loyalties lie.
Signs of disloyalty.
The whistleblower.
Stemming the leaks.
Stamping out corruption.
Know your staff.
We know what you did.
Reading between the lines.
Liberty or death.
Personality types.
Personalities and crime.
The dark triad.
Cyberspace is less risky.
Set a thief.
It s a glamor profession.
There are easier ways.
I just don t believe it.
Don t lose that evidence.
They had it coming.
The science of investigation.
The art of interrogation.
Secure by design.
Science and snake oil.
The art of hypnosis.
The power of suggestion.
It s just an illusion.
It pays to cooperate.
Artificial trust.
Who are you?
How many identities?
Laws of identity.
Learning from people.

Chapter 6: Managing organization culture and politics.

When worlds collide.
What is organization culture?
Organizations are different.
Organizing for security.
Tackling "localities".
Small is beautiful.
In search of professionalism.
Developing careers.
Skills for information security.
Information skills.
Survival skills.
Navigating the political minefield.
Square pegs and round holes.
What s in a name?
Managing relationships.
Exceeding expectations.
Nasty or nice.
In search of a healthy security culture.
In search of a security mindset.
Who influences decisions?
Dealing with diversity.
Don t take yes for an answer.
Learning from organization culture and politics.

Chapter 7: Designing effective awareness programs.
Requirements for change.
Understanding the problem.
Asking the right questions.
The art of questionnaire design.
Hitting the spot.
Campaigns that work.
Adapting to the audience.
Memorable messages.
Let s play a game.
The power of three.
Creating an impact.
What s in a word?
Benefits not features.
Using professional support.
The art of technical writing.
Marketing experts.
Brand managers.
Creative teams.
The power of the external perspective.
Managing the media.
Behavioral psychologists.
Blogging for security.
Measuring your success.
Learning to conduct campaigns.

Chapter 8: Transforming organization attitudes and behavior.

Changing mindsets.
Reward beats punishment.
Changing attitudes.
Scenario planning.
Successful uses of scenarios.
Dangers of scenario planning.
Images speak louder.
A novel approach.
The balance of consequences.
The power of attribution.
Environments shape behavior.
Enforcing the rules of the network.
Encouraging business ethics.
The art of online persuasion.
Learning to change behavior.

Chapter 9: Gaining executive board and business buy-in.

Countering security fatigue.
Money isn t everything.
What makes a good business case?
Aligning with investment appraisal criteria.
Translating benefits into financial terms.
Aligning with IT strategy.
Achieving a decisive result.
Key elements of a good business case.
Assembling the business case.
Identifying and assessing benefits.
Something from nothing.
Reducing project risks.
Framing your recommendations.
Mastering the pitch.
Learning how to make the business case.

Chapter 10: Designing security systems that work.

Why systems fail.
Setting the vision.
What makes a good vision?
Defining your mission.
Building the strategy.
Critical success factors for effective governance.
The smart approach to governance.
Don t reinvent the wheel.
Look for precedents from other fields.
Take a top down approach.
Start small, then extend.
Take a strategic approach.
Ask the bigger question.
Identify and assess options.
Risk assessment or prescriptive controls?
In a class of their own.
Not all labels are the same.
Guidance for technology and people.
Designing long-lasting frameworks.
Applying the fourth dimension.
Do we have to do that?
Steal with caution.
The golden triangle.
Managing risks across outsourced supply chains.
Models, frameworks and architectures.
Why we need architecture.
The folly of enterprise security architectures.
Real-world security architecture.
The 5 W s (and one H).
Occam s razor.
Trust architectures.
Secure by design.
Jericho Forum principles.
Collaboration oriented architecture.
Forwards not backwards.
Capability maturity models.
The power of metrics.
Closing the loop.
The importance of ergonomics.
It s more than ease of use.
The failure of designs.
Ergonomic methods.
A nudge in the right direction.
Learning to design systems that work.

Chapter 11: Harnessing the power of the organization.

The power of networks.
Surviving in a hostile world.
Mobilizing the workforce.
Work smarter, not harder.
Finding a lever.
The art of systems thinking.
Creating virtuous circles.
Triggering a tipping point.
Identifying key influencers.
In search of charisma.
Understanding fashion.
The power of context.
The bigger me.
The power of the herd.
The wisdom of crowds.
Unlimited resources - the power of open source.
Unlimited purchasing power.
Let the network to do the work.
Why is everything getting more complex?
Getting to grips with complexity.
Simple can t control complex.
Designing freedom.
A process-free world.
The power of expressive systems.
Emergent behavior.
Why innovation is important.
What is innovation?
What inspires people to create?
Just one idea is enough.
The art of creative thinking.
Yes, you can.
Outside the box.
Innovation environments.
Turning ideas into action.
Steps to innovation heaven.
The road ahead.
Mapping the future.
Learning to harness the power of the organization.