People-centric security : transforming your enterprise security culture

I Understanding Your Security Culture Information Security: Adventures in Culture HackingBurnt BaconSafe and Not SecureWhat Were You Thinking?Culture HackingSoftware of the MindA Brief History of Culture HackingSecurity Culture: Hack or Be HackedWho's Hacking Your Security Culture?Security, Hack ThyselfCulture Hacks: The GoodCulture Hacks: The BadCulture Hacks: The UglySecurity Is People!Further ReadingStrategy for Breakfast: The Hidden Power of Security Culture Why Security FailsWe Start with a DesignWarning SignsDoing More with LessWho Moved My Fence?Look Out Below!Getting the DriftThe Opposite of MonocultureCultural Traits in Information SecurityTechno-romanticismDefeatismExceptionalismParanoia"I Just Know What They Could Do..Competing Values and Security ThreatsThe Change Agents of Security CultureThe C-SuiteSecurity Awareness TeamsSecurity ResearchersSecurity PractitionersMaking Security CulturalFurther ReadingOrganizational Culture: A PrimerThe Cultural Success of AppleThe Field of Organizational CultureOriginsSecurity and Global CultureOutcomesThe Cultural Failure of EnronThe Culture IcebergHidden AspectsPeople PoweredThe Organizational Cultural/Organizational Performance LinkThe Cultural Migration of PayPalAssessing and Measuring CultureQualitative vs. Quantitative Measurement of CultureQualitative Measures and TechniquesLord Kelvin's "Meagre Understanding"Culture by the NumbersChallenges of Cultural TransformationThere's No One Right Way to Change CultureYou Have to Include EverybodyYou Have to Build ConsensusYou Have to Evaluate the OutcomesYou Have to Have Good LeadershipAn Ocean of ResearchFurther ReadingCultural Threats and Risks Cultural Threat ModelingCovert Processes and Cultural RiskGetting to Know PEPLPolitical ThreatsTurf WarsA Battle for ControlVendor BiasEmotional ThreatsFear, Uncertainty, and DoubtEmotional LogicPsychological ThreatsStatistical AlchemyCognitive LimitationsWith the Audience in MindCognitive DifferencesLogistical ThreatsIncompatible SystemsExceptions as the RuleIncompatible OutcomesCultural Competition as a Source of RiskSizing Up the CompetitionCompeting Security StakeholdersCompeting Security PrioritiesCompeting Security ValuesFurther ReadingII Measuring Your Security Culture The Competing Security Cultures FrameworkMeasuring Security CultureQuantitative Data and AnalysisNominal DataOrdinal DataStatistical TermsInterval DataRatio DataQualitative Data and AnalysisQualitative Approaches RevisitedArtifacts as DataCombining the Qualitative and QuantitativeInterviewsSurveysOther Ways of Describing CultureCultural Archetypes and StereotypesCultural Frameworks and ModelsVisualizing CultureThe Competing Security Cultures FrameworkOrigins of the CSCF in Competing Values ResearchClan CulturesAdhocraciesHierarchiesAdapting the Competing Values Framework to SecurityDegrees of ControlInternal vs. External FocusThe CSCF QuadrantsOverlapping and Competing ValuesLimitations of the FrameworkWhy Not Just Use the Competing Values Framework?Security Culture Benefits From a Targeted ApproachNot Everything in the Competing Values Framework Translates WellOrganizational Security CulturesProcess CultureCore Values of the Process CultureExamples of Process CulturesCompliance CultureCore Values of the Compliance CultureExamples of Compliance CulturesAutonomy CultureCore Values of the Autonomy Security CultureExamples of Autonomy CulturesTrust CultureCore Values of the Trust CultureExamples of Trust CulturesFurther ReadingThe Security Culture Diagnostic Survey (SCDS)SCDS Format and StructureHow Surveys WorkQuestions in the SCDSWhat's Valued Most?How Does the Organization Work?What Does Security Mean?How Is Information Managed and Controlled?How Are Operations Managed?How Is Technology Managed?How Are People Managed?How Is Risk Managed?How Is Accountability Achieved?How Is Performance Evaluated?SCDS Scoring MethodologyScoring the SCDS ResultsSecurity Culture Diagnostic Strategies: Case StudiesABLE Manufacturing: Measuring an Existing Security CultureComparing Different Security Cultures Within ABLE Manufacturing Corp.CHARLIE Systems, Inc.: Comparing Security Cultures of Two OrganizationsDOG: Comparing Existing to Desired Security CultureCreating Culture Maps with the Security Culture Diagnostic SurveyMapping and Visualization ToolsSecurity Culture MapsMapping Security Culture Using the CSCFComposition of a SCDS-based Culture MapSuperimposing SCDS Responses on the CSCF Visual ModelOther Techniques for Mapping Security Culture"When Should I Use Each Type of Map?"Mapping Specific Values and ActivitiesInterpreting and Comparing CultureInterpreting SCDS ResultsDominant Culture: The Way Things Get DoneCultural Conflict: "You Can't Do That Here..."Cultural IntensityCultural Anomalies and DisconnectsComparing CulturesComparing ABLE Manufacturing's Security Employee and Nonsecurity Employee CulturesComparing DOG's Current Security Culture to Its Desired Security CultureImplementing a Successful Security Culture Diagnostic ProjectGetting Buy-in for the Security Culture Diagnostic ProjectDirect Benefits of Security Culture ImprovementIncreased Security and EfficiencyReduced Risk and Costs from IncidentsEstimating the Financial Impact of Security CultureMonte Carlo SimulationsMonte Carlo Simulations (continued)Case Study: FOXTROT Integrators, Inc.AssumptionsScenariosThe "68-95-99.7 Rule"Testing the ScenariosUsing the Results of the ModelExecuting a Security Culture Diagnostic ProjectSetting Up the ProjectDefining the Project StrategyDefining the Context of the AssessmentPerforming a Cost/Benefit AnalysisEngaging Senior ManagementEngaging Other StakeholdersBuilding the Project Team and PlanCollecting DataUsing the Security Culture Diagnostic SurveyOrganizing RespondentsData Management and StorageAnalyzing ResponsesGenerating Security Culture ScoresCreating Culture MapsInterpreting Culture and Communicating ResultsAligning Data with Project GoalsCommunicating Security CultureFrom Measurement to TransformationFurther ReadingIII Transforming Your Security Culture From Diagnosis to Transformation: Implementing People-Centric SecurityDiagnosis and Transformation: One Coin, Two SidesThe CSCF as a Framework for UnderstandingWhat Is the Framework for Transformation?Behavioral Models for Security Culture TransformationCompliance and Control Regimes"Let's Sue the Auditors...""Let's Sue the Auditors..." (continued)Security Process Improvement"But We Don't Do E-Commerce Here.."But We Don't Do E-Commerce Here..(continued)Technology and Automation ApproachesMaking It Personal...Security Needs More OptionsFurther ReadingSecurity FORCE: A Behavioral Model for People-Centric Security Origins of Security FORCEHRO ResearchPreoccupation with FailureReluctance to SimplifySensitivity to OperationsCommitment to ResilienceDeference to ExpertiseHROs in Information SecurityStudies in FailureHighly Reliable Security ProgramsIntroducing the Security FORCE Behavioral ModelFive Core Values of Security FORCEThe Security Value of FailureThe Security Value of OperationsThe Security Value of ResilienceThe Security Value of ComplexityThe Security Value of ExpertiseSecurity FORCE Value Behaviors and MetricsSecurity FORCE Value BehaviorsSecurity FORCE Value MetricsThe Culture-Behavior Link in HRSPsOnly the Reliable SurviveFurther ReadingThe Security Value of Failure What Is the Security Value of Failure?"Failure Is Not an Option"Reevaluating FailureEmbracing FailureFail Small, Fail Fast, Fail OftenMinor Accidents and Near Misses: Tracking the Seeds of FailureMinor Accidents and Near Misses: Tracking the Seeds of Failure (continued)Failure Key Value BehaviorsAnticipate FailuresSeek Out ProblemsReward Problem ReportingShare Information About FailuresLearn from Mistakes"That Report Made a Good Paperweight"Assessing Your Failure Value BehaviorsThe Security FORCE SurveyScoring the Security FORCE SurveyThe Security FORCE MetricsUsing the FORCE Failure Value MetricsImproving Your Failure Value BehaviorsEmbed the Security Value of Failure into PeopleReeducate People on What It Means to FailSet Leadership ExamplesOpen Up CommunicationFurther ReadingThe Security Value of OperationsWhat Is the Security Value of Operations?Operational PowerSensitivity to OperationsExpectations and RealitySecurity Operations "Unplugged"Operations Key Value BehaviorsKeep Your Eyes OpenForm a Bigger Picture"Listen" to the System"Well, That's Just Your Hypothesis, Man!"Test Expectations Against RealityExceptions to the RulesExceptions to the Rules (continued)Share Operational AssessmentsDenial Ain't Just a River...Assessing Your Operations Value BehaviorsScoring the Operations Value Behavior SurveyFORCE Value Metrics for OperationsUsing the FORCE Operations Value MetricsImproving Your Operations Value BehaviorsEmbed Operations Value into the Security ProgramThink More Like ScientistsEmbrace the "Sharing Economy"Lighten Up a BitFurther ReadingThe Security Value of ResilienceWhat Is the Security Value of Resilience?When Bad Things Happen (to Good Organizations)Incident Response: We're Doing It WrongIncident Response: We're Doing It Wrong (continued)Rolling with the PunchesImagining Failures and DisastersResilience Under FireResilience Under Fire (continued)Resilience Key Value BehaviorsOvertrain PeopleExploring Human CapitalCreate "Skill Benches"Actively Share ExpertiseEncourage Stretch GoalsPractice FailingThe Unrecovered CountryAssessing Your Resilience Value BehaviorsScoring the Resilience Value Behavior SurveyFORCE Value Metrics for ResilienceUsing the FORCE Resilience Value MetricsImproving Your Resilience Value BehaviorsEmbed Resilience Value into the Security Program"A Security Incident? I Want In!"Make Security Incidents MundaneFurther ReadingThe Security Value of ComplexityWhat Is the Security Value of Complexity?Dumbing It DownGrowing UncertaintyCVSS, Heartbleed, and the Uncertainty Challenge in Scoring SystemsCVSS, Heartbleed, and the Uncertainty Challenge in Scoring Systems (continued)Ignorance Is RiskMy Heat Map and I Have Boundary IssuesMy Heat Map and I Have Boundary Issues (continued)My Heat Map and I Have Boundary Issues (continued)Complexity Key Value BehaviorsDon't OversimplifyFormalize Your AssumptionsCovet Empirical EvidenceEvidence and FalsifiabilityShare the DoubtMake Every Model BetterAssessing Your Complexity Value BehaviorsScoring the Complexity Value Behavior SurveyFORCE Value Metrics for ComplexityUsing the FORCE Complexity Value MetricsAverage number of data points collected in support of individual organizational decisionsNumber of formal reviews of security plans by non-security stakeholders in the past yearImproving Your Complexity Value BehaviorsEmbed Complexity Value into the Security ProgramThink BiggerAccept What We Already KnowFurther ReadingThe Security Value of ExpertiseWhat Is the Security Value of Expertise?Filter Your Water, Not Your InformationStructural Authority vs. Structural KnowledgeBob and Clara Revisited: Migrating AuthorityWaiting for the Big OneThe Road to DamascusExpertise Key Value BehaviorsAsk the ExpertsSuppress the EgosAllow Authority to MigrateShare CredibilityReward Calls to Action and Cries for Help"We're Changing the World""We're Changing the World" (continued)Assessing Your Expertise Value BehaviorsScoring the Expertise Value Behavior SurveyFORCE Value Metrics for ExpertiseUsing the FORCE Expertise Value MetricsImproving Your Expertise Value BehaviorsEmbed Expertise Value into the Security ProgramMake Everyone a SensorCreate Decision Fast LanesValue Expertise from the Top DownFurther ReadingBehavior and Culture: Mastering People-Centric SecurityWhat Does Security Culture Transformation Mean?Describing Transformation in Terms of Cultural Capabilities MaturityThe Cultural Capabilities Maturity Model: Formalizing Cultural MaturitySupporting Security Culture Transformation with Security FORCE ProjectsThe Value of a Security FORCE ProjectManaging a Security FORCE ProjectCosts and SchedulesLeadership Support and EngagementStakeholder EngagementRespondents and DataThe Security FORCE ScorecardScoring the FORCE Survey Questions, RevisitedPooling Your FORCEsSecurity FORCE Metrics and the FORCE Scorecard"Are We a Highly Reliable Security Program?"GEORGE G, LLPHOTEL INDIA, Inc.KILO KING EnterprisesCSCF and Security FORCE: Aligning Culture and Behavior in People-Centric SecurityChaining Culture and Behavior EffortsUsing the SCDS and FORCE IndependentlyGeneral Alignments Between Security FORCE and the CSCFProcess Cultures and the Security Value of OperationsCompliance Cultures and the Security Value of FailureAutonomy Cultures and the Security Value of ResilienceTrust Cultures and the Security Value of ExpertiseComplexity EverywhereTaking Advantage of Cultural-Behavioral AlignmentsWhen Culture Makes Behavior EasierWhen Culture Makes Behavior HarderBlending Security Culture Diagnostic and Security FORCE Projects for Improved Cultural MaturityFurther ReadingLeadership, Power, and Influence in People-Centric SecurityA Crisis of LeadershipThe CISO as a Business LeaderBusiness Leaders as Security EnablersSecurity Power Dynamics"What if I'm Not a CISO?”CISO Leadership ResourcesLeadership in People-Centric SecurityYou Don't Lead MachinesInfluence and TransformationAdapting the CSCF and Security FORCE Model to LeadershipThe CSCF, SCDS, and Cultural LeadershipThe Security FORCE Model and Behavioral LeadershipFurther ReadingSecuring a People-Centric FutureThe Security of ThingsSocial SecurityAs Many Securities as Things to SecureInformationInfrastructureIdentityPrivacyFraming People-Centric SecuritySecurity Soft PowerThree Takeaways from the BookPeople Are the Most Important System to SecureStrong Culture Equals Strong SecurityFailure Is a Feature of Complex SystemsPutting People-Centric Security to WorkTwo Models, One GoalPeople-Centric Security StrategiesImproving Board and Business Stakeholder EngagementSupercharging Security AwarenessPeople-Centric Incident ResponseConclusionFurther Reading
Next >