Mitigate human risk and bake security into your organization’s culture from top to bottom with insights from leading experts in security awareness, behavior, and culture.
The topic of security culture is mysterious and confusing to most leaders. But it doesn’t have to be. In The Security Culture Playbook , Perry Carpenter and Kai Roer, two veteran cybersecurity strategists deliver experience-driven, actionable insights into how to transform your organization’s security culture and reduce human risk at every level. This book exposes the gaps between how organizations have traditionally approached human risk and it provides security and business executives with the necessary information and tools needed to understand, measure, and improve facets of security culture across the organization.
The book offers:
An expose of what security culture really is and how it can be measured A careful exploration of the 7 dimensions that comprise security culture Practical tools for managing your security culture program, such as the Security Culture Framework and the Security Culture Maturity Model Insights into building support within the executive team and Board of Directors for your culture management program Also including several revealing interviews from security culture thought leaders in a variety of industries, The Security Culture Playbook is an essential resource for cybersecurity professionals, risk and compliance managers, executives, board members, and other business leaders seeking to proactively manage and reduce risk.
Author(s): Perry Carpenter, Kai Roer
Edition: 1
Publisher: Wiley
Year: 2022
Language: English
Pages: 257
Cover
Title Page
Copyright Page
About the Authors
Acknowledgments
Contents at a Glance
Contents
Introduction
What Lies Ahead?
Part I: Foundation
Part II: Exploration
Part 3: Transformation
Reader Support for This Book
How to Contact the Publisher
How to Contact the Authors
Part I Foundation
Chapter 1 You Are Here
Why All the Buzz?
What Is Security Culture, Anyway?
A Problem of Definition
A Problem of Overconfidence
Takeaways
Chapter 2 Up-leveling the Conversation: Security Culture Is a Board-level Concern
A View from the Top
Telling the Human Side of the Story
What’s the Cost of Not Getting This Right?
Cybercriminals Are Doubling Down on Their Attacks Against Your Employees
Your People and Security Culture Are at the Center of Everything
The Implication
Getting It Right
Takeaways
Chapter 3 The Foundations of Transformation
The Core Thesis
The Knowledge-Intention-Behavior Gap
Three Realities of Security Awareness
Program Focus
Extending the Discussion
Introducing the Security Culture Maturity Model
The Security Culture Maturity Model in Brief
The S-Curves
The Value of the Security Culture Maturity Model
You Are Always Either Building Strength or Allowing Atrophy
Takeaways
Part II Exploration
Chapter 4 Just What Is Security Culture, Anyway?
Lessons from Safety Culture
A Jumble of Terms
Information Security Culture
IT Security Culture
Cybersecurity Culture
Security Culture in the Modern Day
Technology Focus
Compliance Focus
Human-Reality Focus
Takeaways
Chapter 5 Critical Concepts from the Social Sciences
What’s the Real Goal—Awareness, Behavior, or Culture?
Coming to Terms with Our Irrational Nature
We Are Lazy
Why Don’t We Just Give Up?
Security Culture—A Part of Organizational Culture
Takeaways
Chapter 6 The Components of Security Culture
A Problem of Definition
The Academic Perspective
The Practitioner Perspective
Defining Security Culture
Security Culture as Dimensions
The Seven Dimensions of Security Culture
Attitudes
Behaviors
Cognition
Communication
Compliance
Norms
Responsibilities
The Security Culture Survey
Example Findings from Measuring the Seven Dimensions
Normalized Use of Unauthorized Services
Confidentiality and Insider Threats
Last Thought
Takeaways
Chapter 7 Interviews with Organizational Culture Experts and Academics
John R. Childress, PYXIS Culture Technologies Limited
Why Is Culture Important?
Why Do You Find Culture Interesting?
Is There a Specific Definition of Culture That You Find Useful?
What Actions Can Be Taken to Direct Cultural Change?
Is There a Success or Horror Story You’d Like to Share Related to Culture Change?
How Does a Culture Evolve (or How Often?)
Professor John McAlaney, Bournemouth University, UK
Why Is Culture Important?
Why Do You Find Culture Interesting?
Is There a Specific Definition of Culture That You Find Useful?
What Actions Can Be Taken to Direct Cultural Change?
Is There a Success or Horror Story You’d Like to Share Related to Culture Change?
How Does a Culture Evolve (or How Often?)
Dejun “Tony” Kong, PhD, Muma College of Business, University of South Florida
Why Is Culture Important?
Why Do You Find Culture Interesting?
Is There a Specific Definition of Culture That You Find Useful?
How Do You Use Metrics to Improve Culture / Measure the Effectiveness of Cultural Change?
Michael Leckie, Silverback Partners, LLC
Why Is Culture Important?
Why Do You Find Culture Interesting?
Is There a Specific Definition of Culture That You Find Useful?
How Do You Use Metrics to Improve Culture / Measure the Effectiveness of Cultural Change?
What Actions Can Be Taken to Direct Cultural Change?
Is There a Success or Horror Story You’d Like to Share Related to Culture Change?
How Does a Culture Evolve (or How Often?)
Part III Transformation
Chapter 8 Introducing the Security Culture Framework
The Power of Three
Step 1: Measure
Step 2: Involve
Step 3: Engage
Rinse and Repeat
Benefits of Using the Security Culture Framework
Takeaways
Chapter 9 The Secrets to Measuring Security Culture
Connecting Awareness, Behavior, and Culture
How Can You Measure the Unseen?
Using Existing Data
The Right Way to Use Data
Methods of Measuring Culture
Observation
Experimentation
Interrogation (Surveys and Interviews)
A/B Testing
Multiple Metrics, Single Score
Trends
A Note Regarding Completion Rates
Takeaways
Chapter 10 How to Influence Culture
Resistance to Change
Be Proactive
The Complexity of Culture
Using the Seven Dimensions to Influence Your Security Culture
Attitudes
Behaviors
Cognition
Communication
Compliance
Norms
Responsibilities
How Do You Know Which Dimension to Target?
You Are in It for the Long Haul
Takeaways
Chapter 11 Culture Sticking Points
Does Culture Change Have to Be Difficult?
Using Norms Is a Double-Edged Sword
Failing to Plan Is Planning to Fail
If You Try to Work Against Human Nature, You Will Fail
Not Seeing the Culture You Are Embedded In
Takeaways
Chapter 12 Planning and Maturing Your Program
Taking Stock of What We’ve Covered
View Your Culture Through Your Employees’ Eyes
Culture Carriers
Building and Modeling Maturity
Exploring the Data
Culture Maturity Indicators
Level 1: Basic Compliance
Level 2: Security Awareness Foundation
Level 3: Programmatic Security Awareness & Behavior
Level 4: Security Behavior Management
Level 5: Sustainable Security Culture
There Are Stories in the Data
A Seat at the Table
Takeaways
Chapter 13 Quick Tips for Gaining and Maintaining Support
You Are a Guide
Sell by Using Stories
Lead with Empathy, Know Your Audience
Set Expectations
Takeaways
Chapter 14 Interviews with Security Culture Thought Leaders
Alexandra Panaretos, Ernst & Young
Why Is Culture Important?
Why Do You Find Culture Interesting?
Is There a Success or Horror Story You’d Like to Share Related to Culture Change?
Dr. Jessica Barker, Cygenta
Why Is Security Culture Important?
Why Do You Find Culture Interesting?
What Actions Can Be Taken to Direct Cultural Change?
What Is Your Most Interesting Experience with Culture?
Kathryn Tyrpak, Jaguar Land Rover
Why Is Culture Important?
Why Do You Find Culture Interesting?
Is There a Specific Definition of Culture That You Find Useful?
How Do You Use Metrics to Improve Culture / Measure the Effectiveness of Cultural Change?
What Actions Can Be Taken to Direct Cultural Change?
Lauren Zink, Boeing
Why Is Culture Important?
Why Do You Find Culture Interesting?
Is There a Specific Definition of Culture That You Find Useful?
How Do You Use Metrics to Improve Culture / Measure the Effectiveness of Cultural Change?
Mark Majewski, Rock Central
Why Is Culture Important?
Why Do You Find Culture Interesting?
Is There a Specific Definition of Culture That You Find Useful?
How Do You Use Metrics to Improve Culture / Measure the Effectiveness of Cultural Change?
What Actions Can Be Taken to Direct Cultural Change?
Is There a Success or Horror Story You’d Like to Share Related to Culture Change?
How Does a Culture Evolve (or How Often?)
Mo Amin, moamin.com
Why Is Culture Important?
Why Do You Find Culture Interesting?
Is There a Specific Definition of Culture That You Find Useful?
How Do You Use Metrics to Improve Culture / Measure the Effectiveness of Cultural Change?
What Actions Can Be Taken to Direct Cultural Change?
Is There a Success or Horror Story You’d Like to Share Related to Culture Change?
How Does a Culture Evolve (or How Often)?
Chapter 15 Parting Thoughts
Engage the Community
Be a Lifelong Learner
Be a Realistic Optimist
Conclusion
Bibliography
Index
EULA
