You CAN Stop Stupid Stopping Losses from Accidental and Malicious Actions

by ;
  • ISBN13:


  • ISBN10:


  • Edition: 1st
  • Format: Paperback
  • Copyright: 2020-12-03
  • Publisher: Wiley

Note: Supplemental materials are not guaranteed with Rental or Used book purchases.

Purchase Benefits

  • Free Shipping Icon Free Shipping On Orders Over $35!
    Your order must be $35 or more to qualify for free economy shipping. Bulk sales, PO's, Marketplace items, eBooks and apparel do not qualify for this offer.
  • eCampus.com Logo Get Rewarded for Ordering Your Textbooks! Enroll Now
List Price: $35.00 Save up to $11.37
  • Rent Book $31.50
    Add to Cart Free Shipping Icon Free Shipping

    *This item is part of an exclusive publisher rental program and requires an additional convenience fee. This fee will be reflected in the shopping cart.

Supplemental Materials

What is included with this book?


Stopping Losses from Accidental and Malicious Actions

Around the world, users cost organizations billions of dollars due to simple errors and malicious actions. They believe that there is some deficiency in the users. In response, organizations believe that they have to improve their awareness efforts and making more secure users. This is like saying that coalmines should get healthier canaries. The reality is that it takes a multilayered approach that acknowledges that users will inevitably make mistakes or have malicious intent, and the failure is in not planning for that. It takes a holistic approach to assessing risk combined with technical defenses and countermeasures layered with a security culture and continuous improvement. Only with this kind of defense in depth can organizations hope to prevent the worst of the cybersecurity breaches and other user-initiated losses.

Using lessons from tested and proven disciplines like military kill-chain analysis, counterterrorism analysis, industrial safety programs, and more, Ira Winkler and Dr. Tracy Celaya's You CAN Stop Stupid provides a methodology to analyze potential losses and determine appropriate countermeasures to implement. 

  • Minimize business losses associated with user failings
  • Proactively plan to prevent and mitigate data breaches
  • Optimize your security spending
  • Cost justify your security and loss reduction efforts
  • Improve your organization’s culture

Business technology and security professionals will benefit from the information provided by these two well-known and influential cybersecurity speakers and experts.

Author Biography

Ira Winkler, CISSP is President of Secure Mentem and is considered one of the world’s most influential security professionals. He has gained media notoriety for performing espionage simulations, where he physically and technically "broke into" some of the largest companies in the World and investigating crimes against them, and telling them how to cost effectively protect their information and computer infrastructure.  He continues to perform these espionage simulations, as well as assisting organizations in developing cost effective security programs.  Ira also won the Hall of Fame award from the Information Systems Security Association, as well as several other prestigious industry awards. Most recently, CSO Magazine named Ira a CSO Compass Award winner as The Awareness Crusader. Ira is also a columnist for DarkReading and ComputerWorld, and writes for several other industry publications. Mr. Winkler has been a keynote speaker at almost every major information security related event, on 6 continents, and has keynoted events in many diverse industries.

Dr. Tracy Celaya Brown, CISSP is President of Go Consulting Int’l. She is a sought-after consultant in IT Security Program Management, Organizational Development, and Change Management, and a U.S. Air Force veteran. As an international and top-rated speaker, she has been a guest lecturer at Arizona State University and spoken at some of the most well-known security related events in the world including RSA USA, RSA Asia-Pacific, ISACA CSX North America & Europe, and SecureCISO.

Table of Contents

Forword xiii

Introduction xxvii

I Stopping Stupid is Your Job 1

1 Failure: The Most Common Option 3

History is Not on the Users’ Side 4

Today’s Common Approach 6

Operational and Security Awareness 6

Technology 7

Governance 8

We Propose a Strategy, Not Tactics 9

2 Users Are Part of the System 11

Understanding Users’ Role in the System 11

Users Aren’t Perfect 13

“Users” Refers to Anyone in Any Function 13

Malice is an Option 14

What You Should Expect from Users 15

3 What is User-Initiated Loss? 17

Processes 18

Culture 20

Physical Losses 22

Crime 24

User Malice 25

Social Engineering 27

User Error 28

Inadequate Training 29

Technology Implementation 30

Design and Maintenance 31

User Enablement 32

Shadow IT 33

Confusing Interfaces 35

UIL is Pervasive 35

II Foundational Concepts 37

4 Risk Management 39

Death by 1,000 Cuts 40

The Risk Equation 41

Value 43

Threats 47

Vulnerabilities 48

Countermeasures 54

Risk Optimization 60

Risk and User-Initiated Loss 63

5 The Problems with Awareness Efforts 65

Awareness Programs Can Be Extremely Valuable 65

Check-the-Box Mentality 66

Training vs Awareness 68

The Compliance Budget 68

Shoulds vs Musts 70

When It’s Okay to Blame the User 72

Awareness Programs Do Not Always Translate into Practice 74

Structural Failings of Awareness Programs 75

Further Considerations 77

6 Protection, Detection, and Reaction 79

Conceptual Overview 80

Protection 81

Detection 82

Reaction 84

Mitigating a Loss in Progress 86

Mitigating Future Incidents 87

Putting It All Together 88

7 Lessons from Safety Science 89

The Limitations of Old-School Safety Science 91

Most UIL Prevention Programs Are Old-School 93

The New School of Safety Science 94

Putting Safety Science to Use 96

Safety Culture 97

The Need to Not Remove All Errors 98

When to Blame Users 100

We Need to Learn from Safety Science 100

8 Applied Behavioral Science 103

The ABCs of Behavioral Science 105

Antecedents 106

Behaviors 111

Consequences 112

Engineering Behavior vs Influencing Behavior 120

9 Security Culture and Behavior 123

ABCs of Culture 125

Types of Cultures 127

Subcultures 130

What is Your Culture? 132

Improving Culture 133

Determining a Finite Set of Behaviors to Improve 134

Behavioral Change Strategies 135

Traditional Project Management 137

Change Management 137

Is Culture Your Ally? 138

10 User Metrics 141

The Importance of Metrics 141

The Hidden Cost of Awareness 142

Types of Awareness Metrics 143

Compliance Metrics 144

Engagement Metrics 145

Behavioral Improvement 147

Tangible ROI 149

Intangible Benefits 149

Day 0 Metrics 150

Deserve More 151

11 The Kill Chain 153

Kill Chain Principles 154

The Military Kill Chain 154

The Cyber Kill Chain and Defense in Depth 155

Deconstructing the Cyber Kill Chain 157

Phishing Kill Chain Example 159

Other Models and Frameworks 162

Applying Kill Chains to UIL 164

12 Total Quality Management Revisited 167

TQM: In Search of Excellence 168

Exponential Increase in Errors 169

Principles of TQM 171

What Makes TQM Fail? 172

Other Frameworks 174

Product Improvement and Management 177

Kill Chain for Process Improvement 178

COVID-19 Remote Workforce Process Activated 178

Applying Quality Principles 179

III Counter measures 181

13 Governance 183

Defining the Scope of Governance for Our Purposes 184

Operational Security or Loss Mitigation 185

Physical Security 186

Personnel Security 186

Traditional Governance 187

Policies, Procedures, and Guidelines 188

In the Workplace 190

Security and the Business 191

Analyzing Processes 192

Grandma’s House 194

14 Technical Countermeasures 197

Personnel Countermeasures 199

Background Checks 200

Continuous Monitoring 201

Employee Management Systems 201

Misuse and Abuse Detection 202

Data Leak Prevention 203

Physical Countermeasures 203

Access Control Systems 203

Surveillance and Safety Systems 204

Point-of-Sale Systems 206

Inventory Systems and Supply Chains 207

Computer Tracking Systems 207

Operational Countermeasures 208

Accounting Systems 209

Customer Relationship Management 210

Operational Technology 210

Workflow Management 211

Cybersecurity Countermeasures 212

The 20 CIS Controls and Resources 212

Anti-malware Software 213

Whitelisting 214

Firewalls 214

Intrusion Detection/Prevention Systems 215

Managed Security Services 215

Backups 215

Secure Configurations 216

Automated Patching 216

Vulnerability Management Tools 217

Behavioral Analytics 217

Data Leak Prevention 218

Web Content Filters/Application Firewalls 218

Wireless and Remote Security 219

Mobile Device Management 219

Multifactor Authentication 220

Single Sign-On 221

Encryption 221

Nothing is Perfect 223

Putting It All Together 223

15 Creating Effective Awareness Programs 225

What is Effective Awareness? 226

Governance as the Focus 227

Where Awareness Strategically Fits in the Organization 229

The Goal of Awareness Programs 230

Changing Culture 231

Defining Subcultures 232

Interdepartmental Cooperation 233

The Core of All Awareness Efforts 234

Process 235

Business Drivers 237

Culture and Communication Tools 238

Putting It Together 245

Metrics 246

Gamification 246

Gamification Criteria 247

Structuring Gamification 248

Gamification is Not for Everyone 248

Getting Management’s Support 249

Awareness Programs for Management 249

Demonstrate Clear Business Value 250

Enforcement 250

Experiment 251

IV Applying Boom 253

16 Start with Boom 255

What Are the Actions That Initiate UIL? 257

Start with a List 257

Order the List 258

Metrics 259

Governance 260

User Experience 261

Prevention and Detection 262

Awareness 263

Feeding the Cycle 263

Stopping Boom 264

17 Right of Boom 265

Repeat as Necessary 266

What Does Loss Initiation Look Like? 267

What Are the Potential Losses? 268

Preventing the Loss 272

Compiling Protective Countermeasures 273

Detecting the Loss 274

Before, During, and After 275

Mitigating the Loss 276

Determining Where to Mitigate 277

Avoiding Analysis Paralysis 278

Your Last Line of Defense 278

18 Preventing Boom 279

Why Are We Here? 280

Reverse Engineering 281

Governance 283

Awareness 284

Technology 285

Step-by-Step 287

19 Determining the Most Effective Countermeasures 289

Early Prevention vs Response 290

Start with Governance 292

Understand the Business Goal 293

Start Left of Boom 294

Consider Technology 295

Prioritize Potential Loss 296

Define Governance Thoroughly 297

Matrix Technical Countermeasures 299

Creating the Matrix 300

Define Awareness 301

It’s Just a Start 302

20 Implementation Considerations 303

You’ve Got Issues 304

Weak Strategy 304

Resources, Culture, and Implementation 305

Lack of Ownership and Accountability 307

One Effort at a Time 308

Change Management 308

Adopting Changes 309

Governance, Again 314

Business Case for a Human Security Officer 315

It Won’t Be Easy 316

21 If You Have Stupid Users, You Have a Stupid System 317

A User Should Never Surprise You 317

Perform Some More Research 318

Start Somewhere 319

Take Day Zero Metrics 320

UIL Mitigation is a Living Process 320

Grow from Success 321

The Users Are Your Canary in the Mine 322

Index 325

Supplemental Materials

What is included with this book?

The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.

The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.

Rewards Program