Forword xiiiIntroduction xxviiI Stopping Stupid is Your Job 11 Failure: The Most Common Option 3History is Not on the Users' Side 4Today's Common Approach 6Operational and Security Awareness 6Technology 7Governance 8We Propose a Strategy, Not Tactics 92 Users Are Part of the System 11Understanding Users' Role in the System 11Users Aren't Perfect 13"Users" Refers to Anyone in Any Function 13Malice is an Option 14What You Should Expect from Users 153 What is User-Initiated Loss? 17Processes 18Culture 20Physical Losses 22Crime 24User Malice 25Social Engineering 27User Error 28Inadequate Training 29Technology Implementation 30Design and Maintenance 31User Enablement 32Shadow IT 33Confusing Interfaces 35UIL is Pervasive 35II Foundational Concepts 374 Risk Management 39Death by 1,000 Cuts 40The Risk Equation 41Value 43Threats 47Vulnerabilities 48Countermeasures 54Risk Optimization 60Risk and User-Initiated Loss 635 The Problems with Awareness Efforts 65Awareness Programs Can Be Extremely Valuable 65Check-the-Box Mentality 66Training vs Awareness 68The Compliance Budget 68Shoulds vs Musts 70When It's Okay to Blame the User 72Awareness Programs Do Not Always Translate into Practice 74Structural Failings of Awareness Programs 75Further Considerations 776 Protection, Detection, and Reaction 79Conceptual Overview 80Protection 81Detection 82Reaction 84Mitigating a Loss in Progress 86Mitigating Future Incidents 87Putting It All Together 887 Lessons from Safety Science 89The Limitations of Old-School Safety Science 91Most UIL Prevention Programs Are Old-School 93The New School of Safety Science 94Putting Safety Science to Use 96Safety Culture 97The Need to Not Remove All Errors 98When to Blame Users 100We Need to Learn from Safety Science 1008 Applied Behavioral Science 103The ABCs of Behavioral Science 105Antecedents 106Behaviors 111Consequences 112Engineering Behavior vs Influencing Behavior 1209 Security Culture and Behavior 123ABCs of Culture 125Types of Cultures 127Subcultures 130What is Your Culture? 132Improving Culture 133Determining a Finite Set of Behaviors to Improve 134Behavioral Change Strategies 135Traditional Project Management 137Change Management 137Is Culture Your Ally? 13810 User Metrics 141The Importance of Metrics 141The Hidden Cost of Awareness 142Types of Awareness Metrics 143Compliance Metrics 144Engagement Metrics 145Behavioral Improvement 147Tangible ROI 149Intangible Benefits 149Day 0 Metrics 150Deserve More 15111 The Kill Chain 153Kill Chain Principles 154The Military Kill Chain 154The Cyber Kill Chain and Defense in Depth 155Deconstructing the Cyber Kill Chain 157Phishing Kill Chain Example 159Other Models and Frameworks 162Applying Kill Chains to UIL 16412 Total Quality Management Revisited 167TQM: In Search of Excellence 168Exponential Increase in Errors 169Principles of TQM 171What Makes TQM Fail? 172Other Frameworks 174Product Improvement and Management 177Kill Chain for Process Improvement 178COVID-19 Remote Workforce Process Activated 178Applying Quality Principles 179III Counter measures 18113 Governance 183Defining the Scope of Governance for Our Purposes 184Operational Security or Loss Mitigation 185Physical Security 186Personnel Security 186Traditional Governance 187Policies, Procedures, and Guidelines 188In the Workplace 190Security and the Business 191Analyzing Processes 192Grandma's House 19414 Technical Countermeasures 197Personnel Countermeasures 199Background Checks 200Continuous Monitoring 201Employee Management Systems 201Misuse and Abuse Detection 202Data Leak Prevention 203Physical Countermeasures 203Access Control Systems 203Surveillance and Safety Systems 204Point-of-Sale Systems 206Inventory Systems and Supply Chains 207Computer Tracking Systems 207Operational Countermeasures 208Accounting Systems 209Customer Relationship Management 210Operational Technology 210Workflow Management 211Cybersecurity Countermeasures 212The 20 CIS Controls and Resources 212Anti-malware Software 213Whitelisting 214Firewalls 214Intrusion Detection/Prevention Systems 215Managed Security Services 215Backups 215Secure Configurations 216Automated Patching 216Vulnerability Management Tools 217Behavioral Analytics 217Data Leak Prevention 218Web Content Filters/Application Firewalls 218Wireless and Remote Security 219Mobile Device Management 219Multifactor Authentication 220Single Sign-On 221Encryption 221Nothing is Perfect 223Putting It All Together 22315 Creating Effective Awareness Programs 225What is Effective Awareness? 226Governance as the Focus 227Where Awareness Strategically Fits in the Organization 229The Goal of Awareness Programs 230Changing Culture 231Defining Subcultures 232Interdepartmental Cooperation 233The Core of All Awareness Efforts 234Process 235Business Drivers 237Culture and Communication Tools 238Putting It Together 245Metrics 246Gamification 246Gamification Criteria 247Structuring Gamification 248Gamification is Not for Everyone 248Getting Management's Support 249Awareness Programs for Management 249Demonstrate Clear Business Value 250Enforcement 250Experiment 251IV Applying Boom 25316 Start with Boom 255What Are the Actions That Initiate UIL? 257Start with a List 257Order the List 258Metrics 259Governance 260User Experience 261Prevention and Detection 262Awareness 263Feeding the Cycle 263Stopping Boom 26417 Right of Boom 265Repeat as Necessary 266What Does Loss Initiation Look Like? 267What Are the Potential Losses? 268Preventing the Loss 272Compiling Protective Countermeasures 273Detecting the Loss 274Before, During, and After 275Mitigating the Loss 276Determining Where to Mitigate 277Avoiding Analysis Paralysis 278Your Last Line of Defense 27818 Preventing Boom 279Why Are We Here? 280Reverse Engineering 281Governance 283Awareness 284Technology 285Step-by-Step 28719 Determining the Most Effective Countermeasures 289Early Prevention vs Response 290Start with Governance 292Understand the Business Goal 293Start Left of Boom 294Consider Technology 295Prioritize Potential Loss 296Define Governance Thoroughly 297Matrix Technical Countermeasures 299Creating the Matrix 300Define Awareness 301It's Just a Start 30220 Implementation Considerations 303You've Got Issues 304Weak Strategy 304Resources, Culture, and Implementation 305Lack of Ownership and Accountability 307One Effort at a Time 308Change Management 308Adopting Changes 309Governance, Again 314Business Case for a Human Security Officer 315It Won't Be Easy 31621 If You Have Stupid Users, You Have a Stupid System 317A User Should Never Surprise You 317Perform Some More Research 318Start Somewhere 319Take Day Zero Metrics 320UIL Mitigation is a Living Process 320Grow from Success 321The Users Are Your Canary in the Mine 322Index 325

Ira Winkler, CISSP, is President of Secure Mentem and is widely viewed as one of the world's most influential security professionals. Ira is the recipient of several prestigious industry awards, including being named "The Awareness Crusader" by CSO magazine in receiving their CSO COMPASS Award. Dr. Tracy Celaya Brown, CISSP, is President of Go Consulting International. She is a sought-after consultant in IT Security Program Management, Organizational Development, and Change Management.