Building an Information Security Awareness Program

Book description

The best defense against the increasing threat of social engineering attacks is Security Awareness Training to warn your organization's staff of the risk and educate them on how to protect your organization's data. Social engineering is not a new tactic, but Building an Security Awareness Program is the first book that shows you how to build a successful security awareness training program from the ground up.

Building an Security Awareness Program provides you with a sound technical basis for developing a new training program. The book also tells you the best ways to garner management support for implementing the program. Author Bill Gardner is one of the founding members of the Security Awareness Training Framework. Here, he walks you through the process of developing an engaging and successful training program for your organization that will help you and your staff defend your systems, networks, mobile devices, and data.

Forewords written by Dave Kennedy and Kevin Mitnick!

  • The most practical guide to setting up a Security Awareness training program in your organization
  • Real world examples show you how cyber criminals commit their crimes, and what you can do to keep you and your data safe
  • Learn how to propose a new program to management, and what the benefits are to staff and your company
  • Find out about various types of training, the best training cycle to use, metrics for success, and methods for building an engaging and successful program

Table of contents

  1. Cover image
  2. Title page
  3. Table of Contents
  4. Copyright
  5. Dedications
  6. Forewords
  7. Preface
  8. About the Authors
  9. Acknowledgments
  10. Chapter 1: What Is a Security Awareness Program?
    1. Abstract
    2. Introduction
    3. Policy Development
    4. Policy Enforcement
    5. Cost Savings
    6. Production Increases
    7. Management Buy-In
  11. Chapter 2: Threat
    1. Abstract
    2. The Motivations of Online Attackers
    3. Money
    4. Industrial Espionage/Trade Secrets
    5. Hacktivism
    6. Cyber War
    7. Bragging Rights
  12. Chapter 3: Cost of a Data Breach
    1. Abstract
    2. Ponemon Institute
    3. HIPAA
    4. The Payment Card Industry Data Security Standard (PCI DSS)
    5. State Breach Notification Laws
  13. Chapter 4: Most Attacks Are Targeted
    1. Abstract
    2. Targeted Attacks
    3. Recent Targeted Attacks
    4. Targeted Attacks Against Law Firms
    5. Operation Shady RAT
    6. Operation Aurora
    7. Night Dragon
    8. Watering Hole Attacks
    9. Common Attack Vectors: Common Results
  14. Chapter 5: Who Is Responsible for Security?
    1. Abstract
    2. Information Technology (IT) Staff
    3. The Security Team
    4. The Receptionist
    5. The CEO
    6. Accounting
    7. The Mailroom/Copy Center
    8. The Runner/Courier
    9. Everyone Is Responsible For Security
  15. Chapter 6: Why Current Programs Don't Work
    1. Abstract
    2. The Lecture is Dead as a Teaching Tool
  16. Chapter 7: Social Engineering
    1. Abstract
    2. What is Social Engineering?
    3. Who are Social Engineers?
    4. Why Does It Work?
    5. How Does It Work?
    6. Information Gathering
    7. Attack Planning and Execution
    8. The Social Engineering Defensive Framework (SEDF)
    9. Where Can I Learn More About Social Engineering?
  17. Chapter 8: Physical Security
    1. Abstract
    2. What is Physical Security?
    3. Physical Security Layers
    4. Threats to Physical Security
    5. Why Physical Security is Important to an Awareness Program
    6. How Physical Attacks Work
    7. Minimizing the Risk of Physical Attacks
  18. Chapter 9: Types of Training
    1. Abstract
    2. Training Types
    3. Formal Training
    4. Informal Training
  19. Chapter 10: The Training Cycle
    1. Abstract
    2. The Training Cycle
    3. New Hire
    4. Quarterly
    5. Biannual
    6. Continual
    7. Point of Failure
    8. Targeted Training
    9. Sample Training Cycles
    10. Adjusting Your Training Cycle
  20. Chapter 11: Creating Simulated Phishing Attacks
    1. Abstract
    2. Simulated Phishing Attacks
    3. Understanding the Human Element
    4. Methodology
    5. Open-Source Tool, Commercial Tool, or Vendor Performed?
    6. Before You Begin
    7. Determine Attack Objective
    8. Select Recipients
    9. Select a Type of Phishing Attack
    10. Composing the E-mail
    11. Creating the Landing Page
    12. Sending the E-mail
    13. Tracking Results
    14. Post Assessment Follow-up
  21. Chapter 12: Bringing It All Together
    1. Abstract
    2. Create a Security Awareness Website
    3. Sample Plans
    4. Promoting Your Awareness Program
  22. Chapter 13: Measuring Effectiveness
    1. Abstract
    2. Measuring Effectiveness
    3. Measurements vs. Metrics
    4. Creating Metrics
    5. Additional Measurements
    6. Reporting Metrics
  23. Chapter 14: Stories from the Front Lines
    1. Abstract
    2. Phil Grimes
    3. Amanda Berlin
    4. Jimmy Vo
    5. Security Research at Large Information Security Company
    6. Harry Regan
    7. Tess Schrodinger
    8. Security Analyst at a Network Security Company
    9. Ernie Hayden
  24. Appendices
    1. Appendix A: Government Resources
    2. Appendix B: Security Awareness Tips
    3. Appendix C: Sample Policies
    4. Appendix D: Commercial Security Awareness Training Resources
    5. Appendix E: Other Web Resources and Links
    6. Security Awareness Posters
    7. Appendix F: Technical Tools That Can Be Used to Test Security Awareness Programs
    8. Appendix G: The Security Awareness Training Framework
    9. Appendix H: Building A Security Awareness Training Program Outline
    10. Appendix I: State Security Breach Notification Laws
    11. Appendix J: West Virginia State Breach Notification Laws, W.V. Code §§ 46A-2A-101 et seq
    12. Appendix K: HIPAA Breach Notification Rule
    13. Notification by a Business Associate
    14. Federal Trade Commission (FTC) Health Breach Notification Rule
    15. Appendix L: Complying with the FTC Health Breach Notification Rule
    16. Who's Covered by the Health Breach Notification Rule
    17. You're Not a Vendor of Personal Health Records If You're Covered by HIPAA
    18. Third-Party Service Provider
    19. What Triggers the Notification Requirement
    20. What to do If a Breach Occurs
    21. Who You Must Notify and When You Must Notify Them
    22. How to Notify People
    23. What Information to Include
    24. Answers to Questions About the Health Breach Notification Rule
    25. We’re an HIPAA Business Associate, But We Also Offer Personal Health Record Services to the Public. Which Rule Applies to Us?
    26. What’s The Penalty for Violating the FTC Health Breach Notification Rule?
    27. Law Enforcement Officials Have Asked us to Delay Notifying People About the Breach. Whatshould we Do?
    28. Where Can I Learn More ABout the FTC Health Breach Notification Rule? Visit
    29. Your Opportunity to Comment
    30. Appendix L: Information Security Conferences
    31. Appendix M: Recorded Presentations on How to Build an Information Security Awareness Program
    32. Appendix N: Articles on How to Build an Information Security Awareness Program
  25. Index

Product information

  • Title: Building an Information Security Awareness Program
  • Author(s): Bill Gardner, Valerie Thomas
  • Release date: August 2014
  • Publisher(s): Syngress
  • ISBN: 9780124199811