| |
| |
| Acknowledgements | |
| |
| |
| Foreword | |
| |
| |
| Introduction | |
| |
| |
| |
| Power to the people | |
| |
| |
| The power is out there - somewhere | |
| |
| |
| An information rich world | |
| |
| |
| When in doubt, phone a friend | |
| |
| |
| Engage with the public | |
| |
| |
| The power of the blogosphere | |
| |
| |
| The future of news | |
| |
| |
| Leveraging new ideas | |
| |
| |
| Changing the way we live | |
| |
| |
| Transforming the political landscape | |
| |
| |
| Network effects in business | |
| |
| |
| Being there | |
| |
| |
| Value in the digital age | |
| |
| |
| Hidden value in networks | |
| |
| |
| Network innovations create security challenges | |
| |
| |
| You�ve been de-perimeterized! | |
| |
| |
| The collapse of information management | |
| |
| |
| The shifting focus of information security | |
| |
| |
| The external perspective | |
| |
| |
| A new world of openness | |
| |
| |
| A new age of collaborative working | |
| |
| |
| Collaboration oriented architecture | |
| |
| |
| Business in virtual worlds | |
| |
| |
| Democracy-but not as we know it | |
| |
| |
| Don�t lock down that network | |
| |
| |
| The future of network security | |
| |
| |
| Can we trust the data? | |
| |
| |
| The art of disinformation | |
| |
| |
| The future of knowledge | |
| |
| |
| The next big security concern | |
| |
| |
| Learning from networks | |
| |
| |
| |
| Everyone makes a difference | |
| |
| |
| Where to focus your efforts | |
| |
| |
| The view from the bridge | |
| |
| |
| The role of the executive board | |
| |
| |
| The new threat of data leakage | |
| |
| |
| The perspective of business management | |
| |
| |
| The role of the business manager | |
| |
| |
| Engaging with business managers | |
| |
| |
| The role of the IT function | |
| |
| |
| Minding your partners | |
| |
| |
| Computer users | |
| |
| |
| Customers and citizens | |
| |
| |
| Learning from stakeholders | |
| |
| |
| |
| There�s no such thing as an isolated incident | |
| |
| |
| What lies beneath? | |
| |
| |
| Accidents waiting to happen | |
| |
| |
| No system is foolproof | |
| |
| |
| Visibility is the key | |
| |
| |
| A lesson from the safety field | |
| |
| |
| Everyone makes mistakes | |
| |
| |
| The science of error prevention | |
| |
| |
| Swiss cheese and security | |
| |
| |
| How significant was that event? | |
| |
| |
| Events are for the record | |
| |
| |
| When an event becomes an incident | |
| |
| |
| The immediacy of emergencies | |
| |
| |
| When disaster strikes | |
| |
| |
| When events spiral out of control | |
| |
| |
| How the response process changes | |
| |
| |
| No two crises are the same | |
| |
| |
| One size doesn�t fit all | |
| |
| |
| The limits of planning | |
| |
| |
| Some assets are irreplaceable | |
| |
| |
| It�s the process, not the plan | |
| |
| |
| Why crisis management is hard | |
| |
| |
| Skills to manage a crisis | |
| |
| |
| Dangerous detail | |
| |
| |
| The missing piece of the jigsaw | |
| |
| |
| Establish the real cause | |
| |
| |
| Are you incubating a crisis? | |
| |
| |
| When crisis management becomes the problem | |
| |
| |
| Developing crisis strategy | |
| |
| |
| Turning threats into opportunities | |
| |
| |
| Boosting market capitalization | |
| |
| |
| Anticipating events | |
| |
| |
| Anticipating opportunities | |
| |
| |
| Designing crisis team structures | |
| |
| |
| How many teams? | |
| |
| |
| Who takes the lead? | |
| |
| |
| Ideal team dynamics | |
| |
| |
| Multi-agency teams | |
| |
| |
| The perfect environment | |
| |
| |
| The challenge of the virtual environment | |
| |
| |
| Protocols for virtual team working | |
| |
| |
| Exercising the crisis team | |
| |
| |
| Learning from incidents | |
| |
| |
| |
| Zen and the art of risk management | |
| |
| |
| East meets West | |
| |
| |
| The nature of risks | |
| |
| |
| Who invented risk management? | |
| |
| |
| We could be so lucky | |
| |
| |
| Components of risk | |
| |
| |
| Gross or net risk? | |
| |
| |
| Don�t lose sight of business | |
| |
| |
| How big is your appetite? | |
| |
| |
| It�s an emotional thing | |
| |
| |
| In the eye of the beholder | |
| |
| |
| What risk was that? | |
| |
| |
| Living in the past | |
| |
| |
| Who created that risk? | |
| |
| |
| It�s not my problem | |
| |
| |
| Size matters | |
| |
| |
| Getting your sums right | |
| |
| |
| Some facts are counter-intuitive | |
| |
| |
| The loaded dice | |
| |
| |
| The answer is 42 | |
| |
| |
| It�s just an illusion | |
| |
| |
| Context is king | |
| |
| |
| Perception and reality | |
| |
| |
| It�s a relative thing | |
| |
| |
| Risk, what risk? | |
| |
| |
| Something wicked this way comes | |
| |
| |
| The black swan | |
| |
| |
| Double jeopardy | |
| |
| |
| What type of risk? | |
| |
| |
| Lessons from the process industries | |
| |
| |
| Lessons from cost engineering | |
| |
| |
| Lessons from the financial sector | |
| |
| |
| Lessons from the insurance field | |
| |
| |
| The limits of percentage play | |
| |
| |
| Operational risk | |
| |
| |
| Joining up risk management | |
| |
| |
| General or specific? | |
| |
| |
| Identifying and ranking risks | |
| |
| |
| Using checklists | |
| |
| |
| Categories of risks | |
| |
| |
| It�s a moving target | |
| |
| |
| Comparing and ranking risks | |
| |
| |
| Risk management strategies | |
| |
| |
| Communicating risk appetite | |
| |
| |
| Risk management maturity | |
| |
| |
| There�s more to security than risk | |
| |
| |
| It�s a decision support tool | |
| |
| |
| The perils of risk assessment | |
| |
| |
| Learning from risk management | |
| |
| |
| |
| Who can you trust? | |
| |
| |
| An asset or a liability? | |
| |
| |
| People are different | |
| |
| |
| The rule of four | |
| |
| |
| The need to conform | |
| |
| |
| Understand your enemies | |
| |
| |
| The face of the enemy | |
| |
| |
| Run silent, run deep | |
| |
| |
| Dreamers and charmers | |
| |
| |
| The unfashionable hacker | |
| |
| |
| The psychology of scams | |
| |
| |
| Visitors are welcome | |
| |
| |
| Where loyalties lie | |
| |
| |
| Signs of disloyalty | |
| |
| |
| The whistleblower | |
| |
| |
| Stemming the leaks | |
| |
| |
| Stamping out corruption | |
| |
| |
| Know your staff | |
| |
| |
| We know what you did | |
| |
| |
| Reading between the lines | |
| |
| |
| Liberty or death | |
| |
| |
| Personality types | |
| |
| |
| Personalities and crime | |
| |
| |
| The dark triad | |
| |
| |
| Cyberspace is less risky | |
| |
| |
| Set a thief | |
| |
| |
| It�s a glamor profession | |
| |
| |
| There are easier ways | |
| |
| |
| I just don�t believe it | |
| |
| |
| Don�t lose that evidence | |
| |
| |
| They had it coming | |
| |
| |
| The science of investigation | |
| |
| |
| The art of interrogation | |
| |
| |
| Secure by design | |
| |
| |
| Science and snake oil | |
| |
| |
| The art of hypnosis | |
| |
| |
| The power of suggestion | |
| |
| |
| It�s just an illusion | |
| |
| |
| It pays to cooperate | |
| |
| |
| Artificial trust | |
| |
| |
| Who are you? | |
| |
| |
| How many identities? | |
| |
| |
| Laws of identity | |
| |
| |
| Learning from people | |
| |
| |
| |
| Managing organization culture and politics | |
| |
| |
| When worlds collide | |
| |
| |
| What is organization culture? | |
| |
| |
| Organizations are different | |
| |
| |
| Organizing for security | |
| |
| |
| Tackling "localities" | |
| |
| |
| Small is beautiful | |
| |
| |
| In search of professionalism | |
| |
| |
| Developing careers | |
| |
| |
| Skills for information security | |
| |
| |
| Information skills | |
| |
| |
| Survival skills | |
| |
| |
| Navigating the political minefield | |
| |
| |
| Square pegs and round holes | |
| |
| |
| What�s in a name? | |
| |
| |
| Managing relationships | |
| |
| |
| Exceeding expectations | |
| |
| |
| Nasty or nice | |
| |
| |
| In search of a healthy security culture | |
| |
| |
| In search of a security mindset | |
| |
| |
| Who influences decisions? | |
| |
| |
| Dealing with diversity | |
| |
| |
| Don�t take yes for an answer | |
| |
| |
| Learning from organization culture and politics | |
| |
| |
| |
| Designing effective awareness programs | |
| |
| |
| Requirements for change | |
| |
| |
| Understanding the problem | |
| |
| |
| Asking the right questions | |
| |
| |
| The art of questionnaire design | |
| |
| |
| Hitting the spot | |
| |
| |
| Campaigns that work | |
| |
| |
| Adapting to the audience | |
| |
| |
| Memorable messages | |
| |
| |
| Let�s play a game | |
| |
| |
| The power of three | |
| |
| |
| Creating an impact | |
| |
| |
| What�s in a word? | |
| |
| |
| Benefits not features | |
| |
| |
| Using professional support | |
| |
| |
| The art of technical writing | |
| |
| |
| Marketing experts | |
| |
| |
| Brand managers | |
| |
| |
| Creative teams | |
| |
| |
| The power of the external perspective | |
| |
| |
| Managing the media | |
| |
| |
| Behavioral psychologists | |
| |
| |
| Blogging for security | |
| |
| |
| Measuring your success | |
| |
| |
| Learning to conduct campaigns | |
| |
| |
| |
| Transforming organization attitudes and behavior | |
| |
| |
| Changing mindsets | |
| |
| |
| Reward beats punishment | |
| |
| |
| Changing attitudes | |
| |
| |
| Scenario planning | |
| |
| |
| Successful uses of scenarios | |
| |
| |
| Dangers of scenario planning | |
| |
| |
| Images speak louder | |
| |
| |
| A novel approach | |
| |
| |
| The balance of consequences | |
| |
| |
| The power of attribution | |
| |
| |
| Environments shape behavior | |
| |
| |
| Enforcing the rules of the network | |
| |
| |
| Encouraging business ethics | |
| |
| |
| The art of online persuasion | |
| |
| |
| Learning to change behavior | |
| |
| |
| |
| Gaining executive board and business buy-in | |
| |
| |
| Countering security fatigue | |
| |
| |
| Money isn�t everything | |
| |
| |
| What makes a good business case? | |
| |
| |
| Aligning with investment appraisal criteria | |
| |
| |
| Translating benefits into financial terms | |
| |
| |
| Aligning with IT strategy | |
| |
| |
| Achieving a decisive result | |
| |
| |
| Key elements of a good business case | |
| |
| |
| Assembling the business case | |
| |
| |
| Identifying and assessing benefits | |
| |
| |
| Something from nothing | |
| |
| |
| Reducing project risks | |
| |
| |
| Framing your recommendations | |
| |
| |
| Mastering the pitch | |
| |
| |
| Learning how to make the business case | |
| |
| |
| |
| Designing security systems that work | |
| |
| |
| Why systems fail | |
| |
| |
| Setting the vision | |
| |
| |
| What makes a good vision? | |
| |
| |
| Defining your mission | |
| |
| |
| Building the strategy | |
| |
| |
| Critical success factors for effective governance | |
| |
| |
| The smart approach to governance | |
| |
| |
| Don�t reinvent the wheel | |
| |
| |
| Look for precedents from other fields | |
| |
| |
| Take a top down approach | |
| |
| |
| Start small, then extend | |
| |
| |
| Take a strategic approach | |
| |
| |
| Ask the bigger question | |
| |
| |
| Identify and assess options | |
| |
| |
| Risk assessment or prescriptive controls? | |
| |
| |
| In a class of their own | |
| |
| |
| Not all labels are the same | |
| |
| |
| Guidance for technology and people | |
| |
| |
| Designing long-lasting frameworks | |
| |
| |
| Applying the fourth dimension | |
| |
| |
| Do we have to do that? | |
| |
| |
| Steal with caution | |
| |
| |
| The golden triangle | |
| |
| |
| Managing risks across outsourced supply chains | |
| |
| |
| Models, frameworks and architectures | |
| |
| |
| Why we need architecture | |
| |
| |
| The folly of enterprise security architectures | |
| |
| |
| Real-world security architecture | |
| |
| |
| The 5 W�s (and one H) | |
| |
| |
| Occam�s razor | |
| |
| |
| Trust architectures | |
| |
| |
| Secure by design | |
| |
| |
| Jericho Forum principles | |
| |
| |
| Collaboration oriented architecture | |
| |
| |
| Forwards not backwards | |
| |
| |
| Capability maturity models | |
| |
| |
| The power of metrics | |
| |
| |
| Closing the loop | |
| |
| |
| The importance of ergonomics | |
| |
| |
| It�s more than ease of use | |
| |
| |
| The failure of designs | |
| |
| |
| Ergonomic methods | |
| |
| |
| A nudge in the right direction | |
| |
| |
| Learning to design systems that work | |
| |
| |
| |
| Harnessing the power of the organization | |
| |
| |
| The power of networks | |
| |
| |
| Surviving in a hostile world | |
| |
| |
| Mobilizing the workforce | |
| |
| |
| Work smarter, not harder | |
| |
| |
| Finding a lever | |
| |
| |
| The art of systems thinking | |
| |
| |
| Creating virtuous circles | |
| |
| |
| Triggering a tipping point | |
| |
| |
| Identifying key influencers | |
| |
| |
| In search of charisma | |
| |
| |
| Understanding fashion | |
| |
| |
| The power of context | |
| |
| |
| The bigger me | |
| |
| |
| The power of the herd | |
| |
| |
| The wisdom of crowds | |
| |
| |
| Unlimited resources - the power of open source | |
| |
| |
| Unlimited purchasing power | |
| |
| |
| Let the network to do the work | |
| |
| |
| Why is everything getting more complex? | |
| |
| |
| Getting to grips with complexity | |
| |
| |
| Simple can�t control complex | |
| |
| |
| Designing freedom | |
| |
| |
| A process-free world | |
| |
| |
| The power of expressive systems | |
| |
| |
| Emergent behavior | |
| |
| |
| Why innovation is important | |
| |
| |
| What is innovation? | |
| |
| |
| What inspires people to create? | |
| |
| |
| Just one idea is enough | |
| |
| |
| The art of creative thinking | |
| |
| |
| Yes, you can | |
| |
| |
| Outside the box | |
| |
| |
| Innovation environments | |
| |
| |
| Turning ideas into action | |
| |
| |
| Steps to innovation heaven | |
| |
| |
| The road ahead | |
| |
| |
| Mapping the future | |
| |
| |
| Learning to harness the power of the organization | |
| |
| |
| In conclusion | |