What do you think?
Rate this book
Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors
Expert guidance on the art and science of driving secure behaviors
Transformational Security Awareness empowers security leaders with the information and resources they need to assemble and deliver effective world-class security awareness programs that drive secure behaviors and culture change.
When all other processes, controls, and technologies fail, humans are your last line of defense. But, how can you prepare them? Frustrated with ineffective training paradigms, most security leaders know that there must be a better way. A way that engages users, shapes behaviors, and fosters an organizational culture that encourages and reinforces security-related values. The good news is that there is hope. That’s what Transformational Security Awareness is all about.
Author Perry Carpenter weaves together insights and best practices from experts in communication, persuasion, psychology, behavioral economics, organizational culture management, employee engagement, and storytelling to create a multidisciplinary masterpiece that transcends traditional security education and sets you on the path to make a lasting impact in your organization.
Find out what you need to know about marketing, communication, behavior science, and culture management Overcome the knowledge-intention-behavior gap Optimize your program to work with the realities of human nature Use simulations, games, surveys, and leverage new trends like escape rooms to teach security awareness Put effective training together into a well-crafted campaign with ambassadors Understand the keys to sustained success and ongoing culture change Measure your success and establish continuous improvements Do you care more about what your employees know or what they do? It's time to transform the way we think about security awareness. If your organization is stuck in a security awareness rut, using the same ineffective strategies, materials, and information that might check a compliance box but still leaves your organization wide open to phishing, social engineering, and security-related employee mistakes and oversights, then you NEED this book.
Transformational Security Awareness empowers security leaders with the information and resources they need to assemble and deliver effective world-class security awareness programs that drive secure behaviors and culture change.
When all other processes, controls, and technologies fail, humans are your last line of defense. But, how can you prepare them? Frustrated with ineffective training paradigms, most security leaders know that there must be a better way. A way that engages users, shapes behaviors, and fosters an organizational culture that encourages and reinforces security-related values. The good news is that there is hope. That’s what Transformational Security Awareness is all about.
Author Perry Carpenter weaves together insights and best practices from experts in communication, persuasion, psychology, behavioral economics, organizational culture management, employee engagement, and storytelling to create a multidisciplinary masterpiece that transcends traditional security education and sets you on the path to make a lasting impact in your organization.
Find out what you need to know about marketing, communication, behavior science, and culture management Overcome the knowledge-intention-behavior gap Optimize your program to work with the realities of human nature Use simulations, games, surveys, and leverage new trends like escape rooms to teach security awareness Put effective training together into a well-crafted campaign with ambassadors Understand the keys to sustained success and ongoing culture change Measure your success and establish continuous improvements Do you care more about what your employees know or what they do? It's time to transform the way we think about security awareness. If your organization is stuck in a security awareness rut, using the same ineffective strategies, materials, and information that might check a compliance box but still leaves your organization wide open to phishing, social engineering, and security-related employee mistakes and oversights, then you NEED this book.
346 pages, Kindle Edition
Published May 3, 2019
27 people are currently reading
134 people want to read
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 6 of 7 reviews
March 25, 2021
This book is not so much about security awareness training as it is a leadership book and a marketing book that will give you techniques to help you implement your security awareness program. It provides you no guidance on what exactly to put into your program in terms of curriculum, but it does provide insight into how to implement it once you decide what you want your organization to be aware of.
For any training, the author, Perry Carpenter, a veteran in the security awareness training field, says that it is not enough to make your employees aware, you have to make them care. But then, it's not enough to make them care either, you have to give them tools to do something with their passion something that is actually transformative. And this works for any cultural rules your organization is trying to establish, not just for security awareness training.
I think the key here is a realization that cybersecurity is much more than just the tech side. You have to be a communicator. You have to be a marketer. This is in line with another Cybersecurity Canon Hall of fame book, "Winning as a CISO." Written in 2005, Rich Baich was well ahead of his time by recommending that CxOs get good at marketing.
But the premise of the book begs the question, is security awareness training necessary? Do we really need to spend time making the marketing english major down the hall an expert on pulling apart malicious URLs embedded in an email message. Of course not. But you might want to inform that person about how easy it is to report something suspicious in email or out by the dumpster to somebody who can do something about it. The point is that every organization is unique in what it needs people to be aware of. That's why Carpenter spends no time covering it.
But it also begs the question about the point of diminishing returns. How many resources do you need to spend on this compared to say your intrusion kill chain prevention program, your zero trust program, your resiliency program, and your orchestration program? How do you determine the amount of effort you put into this security awareness program that will actually reduce the probability of material impact in the future due to some cyber attack? Carpenter gives no guidance here.
I still recommend this book for the cybersecurity hall of fame because it hammers home that the cybersecurity executive is not just a techie. The security leaders in the company also have to be marketers and communicators.
For any training, the author, Perry Carpenter, a veteran in the security awareness training field, says that it is not enough to make your employees aware, you have to make them care. But then, it's not enough to make them care either, you have to give them tools to do something with their passion something that is actually transformative. And this works for any cultural rules your organization is trying to establish, not just for security awareness training.
I think the key here is a realization that cybersecurity is much more than just the tech side. You have to be a communicator. You have to be a marketer. This is in line with another Cybersecurity Canon Hall of fame book, "Winning as a CISO." Written in 2005, Rich Baich was well ahead of his time by recommending that CxOs get good at marketing.
But the premise of the book begs the question, is security awareness training necessary? Do we really need to spend time making the marketing english major down the hall an expert on pulling apart malicious URLs embedded in an email message. Of course not. But you might want to inform that person about how easy it is to report something suspicious in email or out by the dumpster to somebody who can do something about it. The point is that every organization is unique in what it needs people to be aware of. That's why Carpenter spends no time covering it.
But it also begs the question about the point of diminishing returns. How many resources do you need to spend on this compared to say your intrusion kill chain prevention program, your zero trust program, your resiliency program, and your orchestration program? How do you determine the amount of effort you put into this security awareness program that will actually reduce the probability of material impact in the future due to some cyber attack? Carpenter gives no guidance here.
I still recommend this book for the cybersecurity hall of fame because it hammers home that the cybersecurity executive is not just a techie. The security leaders in the company also have to be marketers and communicators.
October 2, 2019
When Coolio sang these words in “Gangsta’s Paradise,” I doubt that he had information security awareness in mind:
They say I gotta learn, but nobody's here to teach me
If they can't understand it, how can they reach me?
I guess they can't, I guess they won't
I guess they frontin’; that's why I know my life is out of luck, fool
While no one would accuse Coolio of being a pedagogue, the lyrics are quite applicable to the often-sorry state of information security awareness training. In Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors (Wiley ISBN: 978-1-119-56634-2), author Perry Carpenter has written an interesting work that addresses the weakest link in information security—that of the end-user.
The truth be told, it’s always easy to blame the end-user. However, the reality is that end-users make many mistakes when systems and interfaces are poorly designed. And they make security errors when they don’t have effective training. That point was made eminently clear two decades ago in Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0, by Alma Whitten and J. D. Tygar.
In that seminal paper, the authors argued that user errors cause or contribute to most computer security failures, yet user interfaces for security still tend to be clumsy, confusing, or near nonexistent.
When it comes to security awareness training, too many firms think that all they need to do is show their staff a boring PowerPoint and that they’ll somehow get the message. In the book, Carpenter pretty much throws out all of the old-school methods for security awareness and suggests much better methods to get the message across. In this valuable book, Carpenter shows the steps necessary to make information security awareness transform from a sleepy exercise to one that engages and informs all of the participants.
Carpenter writes that for security awareness to be successful, a multidisciplinary approach must be taken. To that end, he brings many insights on how to effectively get the awareness message across. While too many people focus on cute images and memes for the awareness presentation, the book shows how there is much more to awareness than that. There are areas of psychology, culture, communications, and much more that must be integrated into the awareness program for it to be effective.
At the beginning of chapter 3, Carpenter quotes Lance Spitzner of SANS, who noted that 80% of security awareness professionals have highly technical backgrounds. That shows that they understand the problem. However, if they don’t have the requisite communications and training skills, then the message of information security won’t get across. The rest of the book expands on that idea that for awareness to be effective, it has to be effectively thought out and implemented.
A large part of the process Carpenter tries to give over focuses on the notion of intentional focus. Unless the participants have this intentional focus on the content (and he spends much time on how to develop compelling content), then the awareness training will simply be a fruitless endeavor.
For those who are serious and looking to develop an information security awareness program that works and resonates a compelling message, Carpenter has written a highly practical guide to show you how to do that. There are no shortcuts suggested. Instead, the reader is expected to do the necessary legwork and develop their own awareness program.
The mark of a really good book is when after reading it you see that all of it makes sense. And this is indeed a really good book. The term Transformational in the title is not a hyperbole. For those looking to ensure their user’s security behaviors are done in a secure manner, this is a great guide to take you there.
They say I gotta learn, but nobody's here to teach me
If they can't understand it, how can they reach me?
I guess they can't, I guess they won't
I guess they frontin’; that's why I know my life is out of luck, fool
While no one would accuse Coolio of being a pedagogue, the lyrics are quite applicable to the often-sorry state of information security awareness training. In Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors (Wiley ISBN: 978-1-119-56634-2), author Perry Carpenter has written an interesting work that addresses the weakest link in information security—that of the end-user.
The truth be told, it’s always easy to blame the end-user. However, the reality is that end-users make many mistakes when systems and interfaces are poorly designed. And they make security errors when they don’t have effective training. That point was made eminently clear two decades ago in Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0, by Alma Whitten and J. D. Tygar.
In that seminal paper, the authors argued that user errors cause or contribute to most computer security failures, yet user interfaces for security still tend to be clumsy, confusing, or near nonexistent.
When it comes to security awareness training, too many firms think that all they need to do is show their staff a boring PowerPoint and that they’ll somehow get the message. In the book, Carpenter pretty much throws out all of the old-school methods for security awareness and suggests much better methods to get the message across. In this valuable book, Carpenter shows the steps necessary to make information security awareness transform from a sleepy exercise to one that engages and informs all of the participants.
Carpenter writes that for security awareness to be successful, a multidisciplinary approach must be taken. To that end, he brings many insights on how to effectively get the awareness message across. While too many people focus on cute images and memes for the awareness presentation, the book shows how there is much more to awareness than that. There are areas of psychology, culture, communications, and much more that must be integrated into the awareness program for it to be effective.
At the beginning of chapter 3, Carpenter quotes Lance Spitzner of SANS, who noted that 80% of security awareness professionals have highly technical backgrounds. That shows that they understand the problem. However, if they don’t have the requisite communications and training skills, then the message of information security won’t get across. The rest of the book expands on that idea that for awareness to be effective, it has to be effectively thought out and implemented.
A large part of the process Carpenter tries to give over focuses on the notion of intentional focus. Unless the participants have this intentional focus on the content (and he spends much time on how to develop compelling content), then the awareness training will simply be a fruitless endeavor.
For those who are serious and looking to develop an information security awareness program that works and resonates a compelling message, Carpenter has written a highly practical guide to show you how to do that. There are no shortcuts suggested. Instead, the reader is expected to do the necessary legwork and develop their own awareness program.
The mark of a really good book is when after reading it you see that all of it makes sense. And this is indeed a really good book. The term Transformational in the title is not a hyperbole. For those looking to ensure their user’s security behaviors are done in a secure manner, this is a great guide to take you there.
February 14, 2023
I really enjoyed this book. It had a bit too much about marketing in it, but I think that because I'm in that business. I can understand completely why he included it. Very thorough and still concise. I like his clean writing style and clarity of organization and purpose. It made me rethink the way I'm managing security at work and at the college.
October 21, 2020
Why do we need security awareness actively practiced by people throughout an organization? Why is it such an important part of a mature security program?
Many of us in the security industry already know why. It’s the idea that one weak link can cause a major security incident. What we don’t know is how to build an effective security awareness program that permeates throughout the organization starting at the very top with the CEO.
In Perry Carpenter’s book, Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors (Wiley ISBN: 978-1-119-56634-2), you will learn tips and tricks to make an effective program that people value and that proactively prevents security events. By providing readers with actionable steps for building and sustaining security awareness programs, Carpenter gives us a resource worthy of being in the Cybersecurity Canon Hall of Fame.
By starting with why we need security awareness as recommended by Carpenter, we can better understand what needs to be done and how to do it. Also, by beginning with the end in mine, we have a better vision for how to structure an impactful security awareness program where people feel they’re part of the solution rather than the problem.
I recommend that approach with Transformational Security Awareness. To get the most value from it, don’t feel compelled to read it serially. Skim Chapter one to understand the “Why” of security awareness. Then jump ahead to Chapters 8 and 9 to best understand your destination. This help you map your security awareness journey from where you are to where you want to be. In looking through the Table of Contents, you can next choose an area of security awareness where you’re struggling.
The core of the book provides Tools of Transformation with actionable ideas for improving how we deliver impactful security awareness. To do that, we need to understand areas not normally considered part of a security professionals skillset: Marketing, Communications, Human Behavior, and Corporate Culture.
• Marketing and Communication – Chapter 3 explains how security leaders can best communicate their message to have an impact on all involved. Concepts explained in this chapter include “Seven Key Takeaways from the Communications Discipline”, “The Sever P’s of Marketing,” and “the Power of Emotion.” Each of these are invaluable tools for anyone looking to influence others.
• Behavior Management – Chapter 4 reminds us that we’re all human. Rather than chastising our users for being human, we need to learn how to leverage it. Carpenter uses concepts such as Nobel Prize-winning psychologist Daniel Kahneman’s Thinking Fast and Slow to understand human thinking for more impactful security awareness. He also delivers concrete ways of debugging behaviors that may undermine a security campaign.
• Culture Management – Chapter 5 is a must-read for both business and security leaders who set the organization’s culture. Here the reader is given tools to start, shift and set security-aware beliefs, behaviors and values throughout an organization by leveraging security champions at all levels.
• What’s in a Modern Security Awareness Leaders Toolbox – Chapter 6 expands the number of instruments security leaders should use in their awareness programs. Here, Carpenter delivers both the methods and means for impactful security awareness through learning modules, micro-learning, events, and even day-to-day activities. If you’re security awareness program is struggling, this is the chapter for ideas on how to make it more robust.
Throughout Transformational Security Awareness, Carpenter sprinkles valuable mental notes, resources, and thoughts from industry leaders to help the reader better understand how to apply security awareness within their organization. The culmination is a treasure-trove of ideas providing us with one of the better (if not the best) books on how-to deliver a successful security awareness program.
Many of us in the security industry already know why. It’s the idea that one weak link can cause a major security incident. What we don’t know is how to build an effective security awareness program that permeates throughout the organization starting at the very top with the CEO.
In Perry Carpenter’s book, Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors (Wiley ISBN: 978-1-119-56634-2), you will learn tips and tricks to make an effective program that people value and that proactively prevents security events. By providing readers with actionable steps for building and sustaining security awareness programs, Carpenter gives us a resource worthy of being in the Cybersecurity Canon Hall of Fame.
By starting with why we need security awareness as recommended by Carpenter, we can better understand what needs to be done and how to do it. Also, by beginning with the end in mine, we have a better vision for how to structure an impactful security awareness program where people feel they’re part of the solution rather than the problem.
I recommend that approach with Transformational Security Awareness. To get the most value from it, don’t feel compelled to read it serially. Skim Chapter one to understand the “Why” of security awareness. Then jump ahead to Chapters 8 and 9 to best understand your destination. This help you map your security awareness journey from where you are to where you want to be. In looking through the Table of Contents, you can next choose an area of security awareness where you’re struggling.
The core of the book provides Tools of Transformation with actionable ideas for improving how we deliver impactful security awareness. To do that, we need to understand areas not normally considered part of a security professionals skillset: Marketing, Communications, Human Behavior, and Corporate Culture.
• Marketing and Communication – Chapter 3 explains how security leaders can best communicate their message to have an impact on all involved. Concepts explained in this chapter include “Seven Key Takeaways from the Communications Discipline”, “The Sever P’s of Marketing,” and “the Power of Emotion.” Each of these are invaluable tools for anyone looking to influence others.
• Behavior Management – Chapter 4 reminds us that we’re all human. Rather than chastising our users for being human, we need to learn how to leverage it. Carpenter uses concepts such as Nobel Prize-winning psychologist Daniel Kahneman’s Thinking Fast and Slow to understand human thinking for more impactful security awareness. He also delivers concrete ways of debugging behaviors that may undermine a security campaign.
• Culture Management – Chapter 5 is a must-read for both business and security leaders who set the organization’s culture. Here the reader is given tools to start, shift and set security-aware beliefs, behaviors and values throughout an organization by leveraging security champions at all levels.
• What’s in a Modern Security Awareness Leaders Toolbox – Chapter 6 expands the number of instruments security leaders should use in their awareness programs. Here, Carpenter delivers both the methods and means for impactful security awareness through learning modules, micro-learning, events, and even day-to-day activities. If you’re security awareness program is struggling, this is the chapter for ideas on how to make it more robust.
Throughout Transformational Security Awareness, Carpenter sprinkles valuable mental notes, resources, and thoughts from industry leaders to help the reader better understand how to apply security awareness within their organization. The culmination is a treasure-trove of ideas providing us with one of the better (if not the best) books on how-to deliver a successful security awareness program.
Read
March 19, 2020The first highlight I have for the book is “Just because I’m aware doesn’t mean that I care.” It’s a truth that we first get exposed to around the age of three, when our theory of mind begins to accept that others think differently than we do – or at least they have different information. However, it’s a key challenge to remember when it comes to how to create a security awareness program that works, as Perry Carpenter explains in Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers can Teach Us About Driving Secure Behaviors.
Read more
Read more
June 6, 2024
Très intéressant avec beaucoup de répétition pour que les concepts rentrent bien 👍🏻
Displaying 1 - 6 of 7 reviews