Details

<p>Foreword xxi</p> <p>Introduction xxiii</p> <p><b>I The Case for Transformation 1</b></p> <p><b>1 </b><b>You Know Why 3</b></p> <p>Humans Are the Last Line of Defense 4</p> <p>Data Breaches Tell the Story 6</p> <p>Auditors and Regulators Recognize the Need for Security Awareness Training 11</p> <p>Traditional Security Awareness Program Methods Fall Short of Their Goals 14</p> <p>Key Takeaways 16</p> <p>References 17</p> <p><b>2 </b><b>Choosing a Transformational Approach 19</b></p> <p>Your “Why” Determines Your “What” 20</p> <p>Down the Rabbit Hole 21</p> <p>Outlining the Key Components and Tools of a Transformational Program 24</p> <p>A Map of What’s to Come 28</p> <p>Part 1 in a Nutshell 30</p> <p>Part 2 in a Nutshell 30</p> <p>Part 3 in a Nutshell 31</p> <p>Key Takeaways 32</p> <p>Notes and References 32</p> <p><b>II The Tools of Transformation 35</b></p> <p><b>3 </b><b>Marketing and Communications 101 for Security Awareness Leaders 37</b></p> <p>The Communications Conundrum 38</p> <p>The Marketing Connection 40</p> <p>Defining Marketing 44</p> <p>Embedding Your Messages 53</p> <p>Get the Right Message to the Right Person at the Right Time 70</p> <p>Campaigns: If You Aren’t Reinforcing, Your Audience Is Forgetting 76</p> <p>Tracking Results and Measuring Effectiveness 76</p> <p>Know When to Ask for Help 77</p> <p>Key Takeaways 78</p> <p>Notes and References 78</p> <p>Additional Reading 81</p> <p><b>4 </b><b>Behavior Management 101 for Security Awareness Leaders 83</b></p> <p>Your Users Aren’t Stupid, They’re Human 85</p> <p>Thinking, Fast and Slow 87</p> <p>System 1 Thinking 88</p> <p>System 2 Thinking 91</p> <p>Working with Human Nature Rather Than Against 93</p> <p>The Nuts and Bolts of Shaping Behavior 96</p> <p>The Fogg Behavior Model 97</p> <p>The Problem with Motivation 103</p> <p><i>Nudge </i>Them in the Right Direction 103</p> <p>Frames: Why Context Is Everything 109</p> <p>Designing and Debugging Behavior 117</p> <p>Being Intentional with Target Groups 117</p> <p>Debugging Behaviors 118</p> <p>Design “Power Prompts” Wherever Possible 122</p> <p>Password Management Example, Continued 123</p> <p>Habits Make Hard Things Easier to Do 130</p> <p>Thinking About Guardrails 132</p> <p>Tracking Results and Measuring Effectiveness 133</p> <p>Key Takeaways 134</p> <p>Notes and References 135</p> <p>Additional Reading 137</p> <p><b>5 </b><b>Culture Management 101 for Security Awareness Leaders 141 </b></p> <p>Security Culture is Part of Your Larger Organizational Culture 144</p> <p>Getting Started 147</p> <p>Understanding Your Culture’s Status Quo 149</p> <p>Go Viral: Unleash the Power of Culture Carriers 156</p> <p>Cultures in (Potential) Conflict: Remember Global and Social Dynamics 164</p> <p>Cultural Forces 165</p> <p>Structures 167</p> <p>Pressures 167</p> <p>Rewards 169</p> <p>Rituals 169</p> <p>Tracking Results and Measuring Effectiveness 171</p> <p>Key Takeaways 171</p> <p>Notes and References 172</p> <p>Additional Reading 174</p> <p><b>6 </b><b>What’s in a Modern Security Awareness Leader’s Toolbox? 175</b></p> <p>Content Is King: Videos, Learning Modules, and More 176</p> <p>Big Box Shopping: A Content Analogy 178</p> <p>Types of Content 181</p> <p>Experiences: Events, Meetings, and Simulations 186</p> <p>Meetings, Presentations, and Lunch-and-Learns 187</p> <p>Tabletop Exercises 188</p> <p>Rituals 189</p> <p>Webinars 190</p> <p>Games 190</p> <p>Simulated Phishing and Social Engineering 191</p> <p>Other Simulations and Embodied Learning 192</p> <p>Interactions with Other Technologies 193</p> <p>Relationships: Bringing Context to Content and Experiences 194</p> <p>Be Intentional and Opportunistic, Always 195</p> <p>Stories and Analogies 195</p> <p>Tapping into Cultural Trends 195</p> <p>Opportunistic Campaigns Based on New Organizational Initiatives and Current Events 196</p> <p>The Critical “At Home” Connection 197</p> <p>Use Your Metrics and Anecdotes to Help Tell and Reinforce Your Story 197</p> <p>Key Takeaways 198</p> <p>Notes and References 198</p> <p><b>7 </b><b>Voices of Transformation: Interviews with Security Awareness Vendors 201</b></p> <p>Anna Collard, Popcorn Training 201</p> <p>Chris Hadnagy, Social Engineer 204</p> <p>Drew Rose, Living Security 209</p> <p>Gary Berman, The CyberHero Adventures: Defenders of the Digital Universe 211</p> <p>Jason Hoenich, Habitu8 214</p> <p>Jim Shields, Twist and Shout 217</p> <p>Kai Roar, CLTRe 219</p> <p>Lisa Plaggemier, InfoSec Institute 221</p> <p>Masha Sedova, Elevate Security 224</p> <p>Stu Sjouwerman, KnowBe4 226</p> <p>Tom Pendergast, MediaPRO 228</p> <p>Winn Schwartau, The Security Awareness Company (SAC) 231</p> <p>Reference 236</p> <p><b>III The Process of Transformation 237</b></p> <p><b>8 </b><b>Living Your Awareness Program Through the Eyes and Lives of Your Audience 239</b></p> <p>A Learner Journey Map: Awareness in the Context of Life 240</p> <p>Key Takeaways 248</p> <p>Notes and References 248</p> <p><b>9 </b><b>Putting It All Together 251</b></p> <p>Before You Begin 252</p> <p>The Five Secrets of Security Awareness Success 252</p> <p>Tips for Gaining Buy-In 259</p> <p>Leverage Cialdini’s Principles of Persuasion 264</p> <p>Making Adjustments 269</p> <p>Thoughts About Crafting Campaigns 269</p> <p>Thinking Through Target Groups 271</p> <p>Be Intentional with Recognition and Reward 277</p> <p>Assembling Your Culture Carriers 277</p> <p>Measuring Your Success 278</p> <p>What Does the Future Hold? 279</p> <p>Key Takeaways 280</p> <p>Notes and References 281</p> <p><b>10 </b><b>Closing Thoughts 283</b></p> <p>Leverage the Power of Community. 283</p> <p>Be a Lifelong Learner 285</p> <p>Be a Realistic Optimist 290</p> <p>Conclusion 291</p> <p><b>11 </b><b>Voices of Transformation: Interviews with Security Awareness Program Leaders 293</b></p> <p>Bruce Hallas, Marmalade Box 294</p> <p>Carlos Miró, MUFG Union Bank 296</p> <p>Dr. Cheryl O. Cooper, Sprint Corporation 298</p> <p>Krina Snider, Sprint 302</p> <p>Mark Majewski, Quicken Loans 305</p> <p>Michael Lattimore, Independent Consultant 307</p> <p>Mo Amin, Independent Consultant 311</p> <p>Prudence Smith, Senior Cyber and Information Security Consultant and Industry Speaker 313</p> <p>Thom Langford, (TL)2 Security 320</p> <p>Tory Dombrowski, Takeform 323</p> <p>Appendix: Seven Key Reminder Nudges to Help Your Recall 329</p> <p>Index 331</p>

<p><b>PERRY CARPENTER</b> is the Chief Evangelist and Strategy Officer for KnowBe4, the world's most popular security awareness and simulated phishing platform. A former security awareness researcher and CISO advisor at Gartner Research, he now works closely with Kevin Mitnick, arguably the world's most famous hacker. Perry frequently addresses management audiences at major cybersecurity conferences.

<p>"I love seeing graduates of my Boot Camp use Behavior Design to address real-world problems. Perry does just that in Transformational Security Awareness, and the results are compelling."<br/> <b>—BJ FOGG P<small>H</small>D,</b> Researcher and Founder of the Stanford University Behavior Design Lab, Author of <i>Tiny Habits: The Small Changes that Change Everything</i> <p><b>DO YOU CARE MORE ABOUT WHAT YOUR EMPLOYEES KNOW, OR WHAT THEY DO?</b> <p><i>Transformational Security Awareness</i> offers a fresh, multidisciplinary approach to building a vital culture of awareness and secure behavior. Weaving together insights and best practices from experts in communication, persuasion, psychology, behavioral economics, organizational culture management, employee engagement, and storytelling, author Perry Carpenter empowers organizations to focus on the human element. The tools he provides let you create behavior change that enhances security at every level. <p>What good is <i>awareness</i> if your people still don't care or behave in ways that reflect the security values that you are training on? Building secure users requires an intentional focus on behavior and cultural supports, finding actionable ways to intersect with users in the ways that will be most impactful; from relevant information, to behavioral interventions, to cultural and social supports and pressures. This book helps you optimize your security program to include and work with the realities of human nature. Using the insight provided by behavioral and marketing disciplines, you'll learn to engage users, shape behaviors, and foster an organizational culture that encourages and reinforces security-related values. Don't just change what your employees <i>know,</i> change what they <i>do</i> because actions not knowledge will determine whether your organization is breached or secure. <p>With <i>Transformational Security Awareness,</i> you'll learn to account for the most important factor of your in your security program: the human factor. Discover how to: <ul> <li>Overcome the knowledge-intention-behavior gap</li> <li>Teach security awareness using simulations, games, surveys, and other methods</li> <li>Recognize why technological security tools aren't enough</li> <li>Develop a well-crafted security awareness program that leverages effective training, behavior shaping techniques, and a network of 'culture carriers'</li> <li>Understand the keys to sustained success and ongoing culture change</li> <li>Measure your success and establish continuous improvements</li> </ul> <p><b><i>Here's what I know:</i></b> <p>"A transformational security awareness program <i>will</i> pay-off. In the same way that a steady stream of water over time will create a canyon; or that small amounts of money invested will, through the magic of compound interest, turn into large sums of money, your efforts <i>do</i> make a lasting impact!"</br> <b>—Perry Carpenter</b>

US