You are previewing People-Centric Security: Transforming Your Enterprise Security Culture.
O'Reilly logo
People-Centric Security: Transforming Your Enterprise Security Culture

Book Description

A culture hacking how to complete with strategies, techniques, and resources for securing the most volatile element of information security—humans

People-Centric Security: Transforming Your Enterprise Security Culture addresses the urgent need for change at the intersection of people and security. Esentially a complete security culture toolkit, this comprehensive resource provides you with a blueprint for assessing, designing, building, and maintaining human firewalls.

Globally recognized information security expert Lance Hayden lays out a course of action for drastically improving organizations’ security cultures through the precise use of mapping, survey, and analysis. You’ll discover applied techniques for embedding strong security practices into the daily routines of IT users and learn how to implement a practical, executable, and measurable program for human security.

  • Features downloadable mapping and surveying templates
  • Case studies throughout showcase the methods explained in the book
  • Valuable appendices detail security tools and cultural threat and risk modeling
  • Written by an experienced author and former CIA human intelligence officer

Table of Contents

  1. Cover
  2. Title Page
  3. Copyright Page
  4. Dedication
  5. About the Author
  6. Contents at a Glance
  7. Contents
  8. Foreword
  9. Acknowledgments
  10. Introduction
  11. Part I Understanding Your Security Culture
    1. Chapter 1 Information Security: Adventures in Culture Hacking
      1. Burnt Bacon
        1. Safe and Not Secure
        2. What Were You Thinking?
      2. Culture Hacking
        1. Software of the Mind
        2. A Brief History of Culture Hacking
        3. Security Culture: Hack or Be Hacked
      3. Who’s Hacking Your Security Culture?
      4. Security, Hack Thyself
        1. Culture Hacks: The Good
        2. Culture Hacks: The Bad
        3. Culture Hacks: The Ugly
      5. Security Is People!
      6. Further Reading
    2. Chapter 2 Strategy for Breakfast: The Hidden Power of Security Culture
      1. Why Security Fails
        1. We Start with a Design
        2. Warning Signs
        3. Doing More with Less
        4. Who Moved My Fence?
        5. Look Out Below!
        6. Getting the Drift
      2. The Opposite of Monoculture
        1. Cultural Traits in Information Security
        2. Competing Values and Security Threats
      3. The Change Agents of Security Culture
        1. The C-Suite
        2. Security Awareness Teams
        3. Security Researchers
        4. Security Practitioners
      4. Making Security Cultural
      5. Further Reading
    3. Chapter 3 Organizational Culture: A Primer
      1. The Field of Organizational Culture
        1. Origins
        2. Outcomes
      2. The Culture Iceberg
        1. Hidden Aspects
        2. People Powered
      3. The Organizational Cultural/Organizational Performance Link
      4. Assessing and Measuring Culture
        1. Qualitative vs. Quantitative Measurement of Culture
        2. Qualitative Measures and Techniques
        3. Culture by the Numbers
      5. Challenges of Cultural Transformation
        1. There’s No One Right Way to Change Culture
        2. You Have to Include Everybody
        3. You Have to Build Consensus
        4. You Have to Evaluate the Outcomes
        5. You Have to Have Good Leadership
      6. An Ocean of Research
      7. Further Reading
    4. Chapter 4 Cultural Threats and Risks
      1. Cultural Threat Modeling
        1. Covert Processes and Cultural Risk
      2. Getting to Know PEPL
        1. Political Threats
        2. Emotional Threats
        3. Psychological Threats
        4. Logistical Threats
      3. Cultural Competition as a Source of Risk
        1. Sizing Up the Competition
      4. Further Reading
  12. Part II Measuring Your Security Culture
    1. Chapter 5 The Competing Security Cultures Framework
      1. Measuring Security Culture
        1. Quantitative Data and Analysis
        2. Qualitative Data and Analysis
        3. Combining the Qualitative and Quantitative
        4. Other Ways of Describing Culture
      2. The Competing Security Cultures Framework
        1. Origins of the CSCF in Competing Values Research
        2. Adapting the Competing Values Framework to Security
        3. The CSCF Quadrants
        4. Overlapping and Competing Values
        5. Limitations of the Framework
      3. Why Not Just Use the Competing Values Framework?
        1. Security Culture Benefits From a Targeted Approach
        2. Not Everything in the Competing Values Framework Translates Well
      4. Organizational Security Cultures
        1. Process Culture
        2. Compliance Culture
        3. Autonomy Culture
        4. Trust Culture
      5. Further Reading
    2. Chapter 6 The Security Culture Diagnostic Survey (SCDS)
      1. SCDS Format and Structure
        1. How Surveys Work
        2. Questions in the SCDS
        3. SCDS Scoring Methodology
      2. Scoring the SCDS Results
      3. Security Culture Diagnostic Strategies: Case Studies
        1. ABLE Manufacturing: Measuring an Existing Security Culture
        2. CHARLIE Systems, Inc.: Comparing Security Cultures of Two Organizations
        3. DOG: Comparing Existing to Desired Security Culture
    3. Chapter 7 Creating Culture Maps with the Security Culture Diagnostic Survey
      1. Security Culture Maps
        1. Mapping Security Culture Using the CSCF
        2. Composition of a SCDS-based Culture Map
        3. Other Techniques for Mapping Security Culture
        4. “When Should I Use Each Type of Map?”
        5. Mapping Specific Values and Activities
      2. Interpreting and Comparing Culture
        1. Interpreting SCDS Results
        2. Comparing Cultures
    4. Chapter 8 Implementing a Successful Security Culture Diagnostic Project
      1. Getting Buy-in for the Security Culture Diagnostic Project
        1. Direct Benefits of Security Culture Improvement
        2. Estimating the Financial Impact of Security Culture
        3. Case Study: FOXTROT Integrators, Inc.
      2. Executing a Security Culture Diagnostic Project
        1. 1. Setting Up the Project
        2. 2. Collecting Data
        3. 3. Analyzing Responses
        4. 4. Interpreting Culture and Communicating Results
      3. From Measurement to Transformation
      4. Further Reading
  13. Part III Transforming Your Security Culture
    1. Chapter 9 From Diagnosis to Transformation: Implementing People-Centric Security
      1. Diagnosis and Transformation: One Coin, Two Sides
        1. The CSCF as a Framework for Understanding
        2. What Is the Framework for Transformation?
      2. Behavioral Models for Security Culture Transformation
        1. Compliance and Control Regimes
        2. Security Process Improvement
        3. Technology and Automation Approaches
        4. Security Needs More Options
      3. Further Reading
    2. Chapter 10 Security FORCE: A Behavioral Model for People-Centric Security
      1. Origins of Security FORCE
        1. HRO Research
        2. HROs in Information Security
      2. Introducing the Security FORCE Behavioral Model
        1. Five Core Values of Security FORCE
      3. Security FORCE Value Behaviors and Metrics
        1. Security FORCE Value Behaviors
        2. Security FORCE Value Metrics
      4. The Culture–Behavior Link in HRSPs
      5. Further Reading
    3. Chapter 11 The Security Value of Failure
      1. What Is the Security Value of Failure?
        1. “Failure Is Not an Option”
        2. Reevaluating Failure
        3. Embracing Failure
        4. Fail Small, Fail Fast, Fail Often
      2. Failure Key Value Behaviors
        1. Anticipate Failures
        2. Seek Out Problems
        3. Reward Problem Reporting
        4. Share Information About Failures
        5. Learn from Mistakes
      3. Assessing Your Failure Value Behaviors
        1. The Security FORCE Survey
        2. The Security FORCE Metrics
      4. Improving Your Failure Value Behaviors
        1. Embed the Security Value of Failure into People
        2. Reeducate People on What It Means to Fail
        3. Set Leadership Examples
        4. Open Up Communication
      5. Further Reading
    4. Chapter 12 The Security Value of Operations
      1. What Is the Security Value of Operations?
        1. Operational Power
        2. Sensitivity to Operations
        3. Expectations and Reality
      2. Operations Key Value Behaviors
        1. Keep Your Eyes Open
        2. Form a Bigger Picture
        3. “Listen” to the System
        4. Test Expectations Against Reality
        5. Share Operational Assessments
      3. Assessing Your Operations Value Behaviors
        1. Scoring the Operations Value Behavior Survey
        2. FORCE Value Metrics for Operations
      4. Improving Your Operations Value Behaviors
        1. Embed Operations Value into the Security Program
        2. Think More Like Scientists
        3. Embrace the “Sharing Economy”
        4. Lighten Up a Bit
      5. Further Reading
    5. Chapter 13 The Security Value of Resilience
      1. What Is the Security Value of Resilience?
        1. When Bad Things Happen (to Good Organizations)
        2. Rolling with the Punches
        3. Imagining Failures and Disasters
      2. Resilience Key Value Behaviors
        1. Overtrain People
        2. Create “Skill Benches”
        3. Actively Share Expertise
        4. Encourage Stretch Goals
        5. Practice Failing
      3. Assessing Your Resilience Value Behaviors
        1. Scoring the Resilience Value Behavior Survey
        2. FORCE Value Metrics for Resilience
      4. Improving Your Resilience Value Behaviors
        1. Embed Resilience Value into the Security Program
        2. “A Security Incident? I Want In!”
        3. Make Security Incidents Mundane
      5. Further Reading
    6. Chapter 14 The Security Value of Complexity
      1. What Is the Security Value of Complexity?
        1. Dumbing It Down
        2. Growing Uncertainty
        3. Ignorance Is Risk
      2. Complexity Key Value Behaviors
        1. Don’t Oversimplify
        2. Formalize Your Assumptions
        3. Covet Empirical Evidence
        4. Share the Doubt
        5. Make Every Model Better
      3. Assessing Your Complexity Value Behaviors
        1. Scoring the Complexity Value Behavior Survey
        2. FORCE Value Metrics for Complexity
      4. Improving Your Complexity Value Behaviors
        1. Embed Complexity Value into the Security Program
        2. Think Bigger
        3. Accept What We Already Know
      5. Further Reading
    7. Chapter 15 The Security Value of Expertise
      1. What Is the Security Value of Expertise?
        1. Filter Your Water, Not Your Information
        2. Structural Authority vs. Structural Knowledge
        3. Waiting for the Big One
      2. Expertise Key Value Behaviors
        1. Ask the Experts
        2. Suppress the Egos
        3. Allow Authority to Migrate
        4. Share Credibility
        5. Reward Calls to Action and Cries for Help
      3. Assessing Your Expertise Value Behaviors
        1. Scoring the Expertise Value Behavior Survey
        2. FORCE Value Metrics for Expertise
      4. Improving Your Expertise Value Behaviors
        1. Embed Expertise Value into the Security Program
        2. Make Everyone a Sensor
        3. Create Decision Fast Lanes
        4. Value Expertise from the Top Down
      5. Further Reading
    8. Chapter 16 Behavior and Culture: Mastering People-Centric Security
      1. What Does Security Culture Transformation Mean?
        1. Describing Transformation in Terms of Cultural Capabilities Maturity
        2. The Cultural Capabilities Maturity Model: Formalizing Cultural Maturity
      2. Supporting Security Culture Transformation with Security FORCE Projects
        1. The Value of a Security FORCE Project
        2. Managing a Security FORCE Project
      3. The Security FORCE Scorecard
        1. Scoring the FORCE Survey Questions, Revisited
        2. Pooling Your FORCEs
        3. Security FORCE Metrics and the FORCE Scorecard
        4. “Are We a Highly Reliable Security Program?”
      4. CSCF and Security FORCE: Aligning Culture and Behavior in People-Centric Security
        1. Chaining Culture and Behavior Efforts
        2. Using the SCDS and FORCE Independently
        3. General Alignments Between Security FORCE and the CSCF
        4. Taking Advantage of Cultural-Behavioral Alignments
        5. Blending Security Culture Diagnostic and Security FORCE Projects for Improved Cultural Maturity
      5. Further Reading
    9. Chapter 17 Leadership, Power, and Influence in People-Centric Security
      1. A Crisis of Leadership
        1. The CISO as a Business Leader
        2. Business Leaders as Security Enablers
        3. Security Power Dynamics
        4. “What if I am not a CISO?”
      2. Leadership in People-Centric Security
        1. You Don’t Lead Machines
        2. Influence and Transformation
      3. Adapting the CSCF and Security FORCE Model to Leadership
        1. The CSCF, SCDS, and Cultural Leadership
        2. The Security FORCE Model and Behavioral Leadership
      4. Further Reading
    10. Chapter 18 Securing a People-Centric Future
      1. The Security of Things
        1. Social Security
        2. As Many Securities as Things to Secure
      2. Framing People-Centric Security
        1. Security Soft Power
        2. Three Takeaways from the Book
      3. Putting People-Centric Security to Work
        1. Two Models, One Goal
        2. People-Centric Security Strategies
      4. Conclusion
      5. Further Reading
  14. Index