2FA (two-factor authentication) 21, 36
ABC approach 1, 14–15, 17, 19, 20, 88, 100–2, 107–18
Accelerated Learning 29–30, 37
AIDA (awareness, interest, desire and action) 109
anti-phishing training 61–2, 64
artefacts 71, 73, 81, 82, 85, 104, 111, 112, 116–17
assumptions, challenging 99–100
audience, knowing your 36–7, 41
automated tools 56
availability heuristic 98
awareness
ABC approach 1, 14–15, 17, 19, 20, 107, 108–9, 112–15, 117
Accelerated Learning 29–30, 37
balancing awareness, training and education 5–7
clicking links 1, 2, 5, 9, 11, 13, 18, 21, 27, 30, 32, 34
culture’s role in 78
data breaches 16, 18–19, 20, 31
Extended Parallel Process Model 31–2, 33
fear appeals 21, 26, 30–3, 34, 38
Feynman technique 27–9, 30, 37
focussing on ourselves alone 12–13
importance to employees 2–3, 11
phishing attacks 3, 4, 5, 9, 10, 16, 18, 19, 21–2, 30, 34, 36
raising 6–7, 9, 17–22, 26–9, 35, 36–7, 64, 74, 104–5
responsibility for 2
situational awareness 18, 25, 76
B2B (business to business) teams 71
B2C (business to consumer) teams 71
behaviour
awareness-raising programmes 20–2
information security policy 41, 50, 52–5, 64
myths of awareness 3
phishing attacks 40–1, 49–50, 52, 57, 58, 61–2, 64
planned behaviour 42, 43, 50, 51, 54
protection motivation theory 43–4, 50, 51
psychology 39, 41, 43–4, 50, 52, 56, 58–60
punishment/reinforcement models 56–7, 59, 61, 63–4
reliability and validity 39, 47–8
specific cybersecurity behaviours 57–63
techniques for changing behaviour 55–63
board involvement 96
BYOD (bring your own device) 63
Carlzon, Jan 111
CBT (computer-based training) 7, 9, 23
CEOs (chief executive officers) 14, 92, 94, 95
champions 23–4, 25, 29, 36, 71, 93, 95, 116
CISM (Certified Information Security Manager) 7
CISOs (chief information security officers)
ABC approach 111
culture 66, 71, 88, 89, 93, 96, 99, 105
CISSP (Certified Information Systems Security Professional) 7, 12
compliance 73, 76, 92–4, 98, 100
coping appraisal 43
COVID-19 118
culture
ABC approach 88, 100–2, 107–9, 111–17
awareness-raising programmes 20–2, 74, 104–5
building a security culture 116–17
challenging assumptions 99–100
external drivers of change 91–4
importance in security context 65, 86–7
internal drivers of change 94
rituals and routines 14, 73, 82
role in awareness 78
role in decision-making and behaviour 75–8
top down approach 82, 88, 92–3
underestimating influence of 65
data breaches 16, 18–19, 20, 31, 35, 95, 99
decision-making 72, 73, 76–7, 108
dedicated resources 100
double-blind experiments 47
Dunning–Kruger effect 48, 60, 64
espoused values 71, 72, 73, 74, 75, 77, 79, 81, 84, 86, 92, 104
Extended Parallel Process Model 31–2, 33
FCA (Financial Conduct Authority) 82, 92
fear appeals 21, 26, 30–3, 34, 38, 41, 43
Feynman technique 27–9, 30, 37
formal/informal structures 78, 79, 81, 84
FUD (fear, uncertainty and doubt) 26
GDPR (General Data Protection Regulation) 46, 76, 89, 105
Gerstner, Louis 94
good practice 1, 12–13, 25, 46
groupthink 11
HARK (Hypothesizing After the Results are Known) 46, 47
Hawthorne effect 46, 47, 49, 59
HR (human resources) 36, 99, 102, 103
human behavioural tools 56–7, 64
IBM 94
IEC (International Electrotechnical Commission) 105
individualism and collectivism 69, 75
induction programmes 7, 9, 36, 73, 85
indulgence and restraint index 69, 75
Information Security Forum (2020) 12
information security policy 41, 50, 52–5, 64, 105
ISO (International Organization for Standardization) 89, 105
IT (information technology) 6, 11, 99–100, 105
job titles and responsibilities 105–6
Kahneman, Daniel 76
Kotter’s stages for change 90–1
KPIs (key performance indicators) 97
Leventhal, Howard 31
links, clicking 40, 49, 61–2, 118
awareness of 1, 2, 5, 9, 11, 13, 18, 21, 27, 30, 32, 34
long- and short-term orientation 69
MAS (Monetary Authority of Singapore) 93, 102
masculine and feminine societies 69
Maslow’s Hierarchy of Needs 71, 79
metrics 22, 23, 25, 66, 75, 76
national cultures 68–70, 74, 75, 80–1, 84–5
NCSC (National Cyber Security Centre) 26, 33
NHS (National Health Service) 21, 33
NIST (National Institute of Standards and Technology) 4–5, 17, 20, 22, 33, 34, 35, 89, 105
normalcy bias 98
organisational cultures (culture type) 67, 70
passive awareness 6, 8, 10, 17, 37
passwords
carelessness with 30, 40, 42, 47, 49, 56, 58
password management 21–2, 28, 34, 36, 52, 58, 59–60, 64
strength/weakness of 21, 27, 32, 33–4, 41, 57
PCI DSS (Payment Card Industry Data Security Standard) 105
phishing attacks
anti-phishing training 61–2, 64
awareness 3, 4, 5, 9, 10, 16, 18, 19, 21–2, 30, 34, 36
behaviour 40–1, 49–50, 52, 57, 58, 61–2, 64
spear-phishing 19, 21–2, 34, 36
planned behaviour theory 42, 43, 50, 51, 54
power distance ratio 68, 75, 91
protection motivation theory 31, 43–4, 50, 51
psychology 30–2, 37, 39, 41, 43–4, 50, 52, 56, 58–60
punishment/reinforcement models 56–7, 59, 61, 63–4, 103
raising awareness 6–7, 9, 17–22, 26–9, 35, 36–7, 64, 74, 104–5
recruitment and retention 103–4
resources, allocating and utilising 22–4, 100–1
rewards and recognition, building 102–3
rituals and routines 14, 73, 80, 82
role modelling 101–2, 105, 111
RSA conference (2020) 33
salience (or saliency) bias 98
SANS European Security Awareness Summit (2016) 29
SAS (Scandinavian Air Systems) 111
Secure Summits survey (2017) 39, 44–6, 52–5, 58
Sinek, Simon 27
situational awareness 18, 25, 76
SMART (specific, measurable, achievable, relevant and time-bound) 49
social proof 19, 25, 70, 77, 78
software/security updates 43, 63, 64, 92
SP (Special Publication) 4–5, 17
spear-phishing 19, 21–2, 34, 36
stories and myths 14, 73, 80, 103, 104
sub-cultures 68, 70, 72, 94, 116
Thaler, Richard 76
threat appraisal 43
underlying assumptions 71, 72–3, 74, 77, 83, 84, 86
URL (Uniform Resource Locator) 11
USB (Universal Serial Bus) keys 47, 50, 62–3, 64, 113–14
Verizon Data Breach Investigations Report (2020) 16
VPN (virtual private network) 116
‘why’ questions 16–17, 20–1, 27, 32, 74, 94, 109–10
Witte, Kim 31