What do you think?
Rate this book
Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors
Expert guidance on the art and science of driving secure behaviors
Transformational Security Awareness empowers security leaders with the information and resources they need to assemble and deliver effective world-class security awareness training programs that drive secure behaviors and culture change.
When all other processes, controls, and technologies fail, humans are your last line of defense. But, how can you prepare them? Frustrated with ineffective training paradigms, most security leaders know that there must be a better way. A way that engages users, shapes behaviors, and fosters an organizational culture that encourages and reinforces security-related values. The good news is that there is hope. That's what Transformational Security Awareness is all about.
Author Perry Carpenter weaves together insights and best practices from experts in communication, persuasion, psychology, behavioral economics, organizational culture management, employee engagement, and storytelling to create a multidisciplinary masterpiece that transcends traditional security education and sets you on the path to make a lasting impact in your organization. Do you care more about what your employees know or what they do ? It's time to transform the way we think about security awareness. If your organization is stuck in a security awareness rut, using the same ineffective strategies, materials, and information that might check a compliance box but still leaves your organization wide open to phishing, social engineering, and security-related employee mistakes and oversights, then you NEED this book.
Transformational Security Awareness empowers security leaders with the information and resources they need to assemble and deliver effective world-class security awareness training programs that drive secure behaviors and culture change.
When all other processes, controls, and technologies fail, humans are your last line of defense. But, how can you prepare them? Frustrated with ineffective training paradigms, most security leaders know that there must be a better way. A way that engages users, shapes behaviors, and fosters an organizational culture that encourages and reinforces security-related values. The good news is that there is hope. That's what Transformational Security Awareness is all about.
Author Perry Carpenter weaves together insights and best practices from experts in communication, persuasion, psychology, behavioral economics, organizational culture management, employee engagement, and storytelling to create a multidisciplinary masterpiece that transcends traditional security education and sets you on the path to make a lasting impact in your organization. Do you care more about what your employees know or what they do ? It's time to transform the way we think about security awareness. If your organization is stuck in a security awareness rut, using the same ineffective strategies, materials, and information that might check a compliance box but still leaves your organization wide open to phishing, social engineering, and security-related employee mistakes and oversights, then you NEED this book.
- GenresNonfiction
368 pages, Paperback
Published May 21, 2019
4 people are currently reading
14 people want to read
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 3 of 3 reviews
April 19, 2024
“Don’t neglect the power of emotion and story. The more human the ideas become, the better. Move away from abstract, security-centric information and connect the information to human-centric outcomes, purposes, and compelling visuals.”
A great bird’s eye view into security awareness programs and what it means to effectively educate users. There are many great nuggets of wisdom here—definitely a great read for anyone starting out in cybersecurity or human-risk management.
A great bird’s eye view into security awareness programs and what it means to effectively educate users. There are many great nuggets of wisdom here—definitely a great read for anyone starting out in cybersecurity or human-risk management.
October 16, 2019
When Coolio sang these words in “Gangsta’s Paradise,” I doubt that he had information security awareness in mind:
They say I gotta learn, but nobody's here to teach me
If they can't understand it, how can they reach me?
I guess they can't, I guess they won't
I guess they frontin’; that's why I know my life is out of luck, fool
While no one would accuse Coolio of being a pedagogue, the lyrics are quite applicable to the often-sorry state of information security awareness training. In Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors (Wiley ISBN: 978-1-119-56634-2), author Perry Carpenter has written an interesting work that addresses the weakest link in information security—that of the end-user.
The truth be told, it’s always easy to blame the end-user. However, the reality is that end-users make many mistakes when systems and interfaces are poorly designed. And they make security errors when they don’t have effective training. That point was made eminently clear two decades ago in Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0, by Alma Whitten and J. D. Tygar.
In that seminal paper, the authors argued that user errors cause or contribute to most computer security failures, yet user interfaces for security still tend to be clumsy, confusing, or near nonexistent.
When it comes to security awareness training, too many firms think that all they need to do is show their staff a boring PowerPoint and that they’ll somehow get the message. In the book, Carpenter pretty much throws out all of the old-school methods for security awareness and suggests much better methods to get the message across. In this valuable book, Carpenter shows the steps necessary to make information security awareness transform from a sleepy exercise to one that engages and informs all of the participants.
Carpenter writes that for security awareness to be successful, a multidisciplinary approach must be taken. To that end, he brings many insights on how to effectively get the awareness message across. While too many people focus on cute images and memes for the awareness presentation, the book shows how there is much more to awareness than that. There are areas of psychology, culture, communications, and much more that must be integrated into the awareness program for it to be effective.
At the beginning of chapter 3, Carpenter quotes Lance Spitzner of SANS, who noted that 80% of security awareness professionals have highly technical backgrounds. That shows that they understand the problem. However, if they don’t have the requisite communications and training skills, then the message of information security won’t get across. The rest of the book expands on that idea that for awareness to be effective, it has to be effectively thought out and implemented.
A large part of the process Carpenter tries to give over focuses on the notion of intentional focus. Unless the participants have this intentional focus on the content (and he spends much time on how to develop compelling content), then the awareness training will simply be a fruitless endeavor.
For those who are serious and looking to develop an information security awareness program that works and resonates a compelling message, Carpenter has written a highly practical guide to show you how to do that. There are no shortcuts suggested. Instead, the reader is expected to do the necessary legwork and develop their own awareness program.
The mark of a really good book is when after reading it you see that all of it makes sense. And this is indeed a really good book. The term Transformational in the title is not a hyperbole. For those looking to ensure their user’s security behaviors are done in a secure manner, this is a great guide to take you there.
They say I gotta learn, but nobody's here to teach me
If they can't understand it, how can they reach me?
I guess they can't, I guess they won't
I guess they frontin’; that's why I know my life is out of luck, fool
While no one would accuse Coolio of being a pedagogue, the lyrics are quite applicable to the often-sorry state of information security awareness training. In Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors (Wiley ISBN: 978-1-119-56634-2), author Perry Carpenter has written an interesting work that addresses the weakest link in information security—that of the end-user.
The truth be told, it’s always easy to blame the end-user. However, the reality is that end-users make many mistakes when systems and interfaces are poorly designed. And they make security errors when they don’t have effective training. That point was made eminently clear two decades ago in Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0, by Alma Whitten and J. D. Tygar.
In that seminal paper, the authors argued that user errors cause or contribute to most computer security failures, yet user interfaces for security still tend to be clumsy, confusing, or near nonexistent.
When it comes to security awareness training, too many firms think that all they need to do is show their staff a boring PowerPoint and that they’ll somehow get the message. In the book, Carpenter pretty much throws out all of the old-school methods for security awareness and suggests much better methods to get the message across. In this valuable book, Carpenter shows the steps necessary to make information security awareness transform from a sleepy exercise to one that engages and informs all of the participants.
Carpenter writes that for security awareness to be successful, a multidisciplinary approach must be taken. To that end, he brings many insights on how to effectively get the awareness message across. While too many people focus on cute images and memes for the awareness presentation, the book shows how there is much more to awareness than that. There are areas of psychology, culture, communications, and much more that must be integrated into the awareness program for it to be effective.
At the beginning of chapter 3, Carpenter quotes Lance Spitzner of SANS, who noted that 80% of security awareness professionals have highly technical backgrounds. That shows that they understand the problem. However, if they don’t have the requisite communications and training skills, then the message of information security won’t get across. The rest of the book expands on that idea that for awareness to be effective, it has to be effectively thought out and implemented.
A large part of the process Carpenter tries to give over focuses on the notion of intentional focus. Unless the participants have this intentional focus on the content (and he spends much time on how to develop compelling content), then the awareness training will simply be a fruitless endeavor.
For those who are serious and looking to develop an information security awareness program that works and resonates a compelling message, Carpenter has written a highly practical guide to show you how to do that. There are no shortcuts suggested. Instead, the reader is expected to do the necessary legwork and develop their own awareness program.
The mark of a really good book is when after reading it you see that all of it makes sense. And this is indeed a really good book. The term Transformational in the title is not a hyperbole. For those looking to ensure their user’s security behaviors are done in a secure manner, this is a great guide to take you there.
December 28, 2023
DNF after about 2/3rds of the way through. It wasn’t very interesting. Mostly felt like a lightweight survey of the industry and some related concepts. You never get the impression of any depth. Valuable more for the source material it links to. Could use the attention of a decent copy editor. Might be worth your while if you get it on sale as an ebook.
Displaying 1 - 3 of 3 reviews