Chapter
Chapter 1: What Is a Security Awareness Program?
The Motivations of Online Attackers
Industrial Espionage/Trade Secrets
Chapter 3: Cost of a Data Breach
The Payment Card Industry Data Security Standard (PCI DSS)
State Breach Notification Laws
Chapter 4: Most Attacks Are Targeted
Targeted Attacks Against Law Firms
Common Attack Vectors: Common Results
Chapter 5: Who Is Responsible for Security?
Information Technology (IT) Staff
Everyone Is Responsible for Security
Chapter 6: Why Current Programs Don't Work
The Lecture Is Dead as a Teaching Tool
The Seven Learning Styles
Chapter 7: Social Engineering
What Is Social Engineering?
Who Are Social Engineers?
Attack Planning and Execution
The Spear Phishing E-mail
The Social Engineering Defensive Framework (SEDF)
Streamline Existing Technology and Policy
Planning a Tabletop Exercise
Where can I Learn More About Social Engineering?
Chapter 8: Physical Security
What Is Physical Security?
Threats to Physical Security
Why Physical Security Is Important to an Awareness Program
How Physical Attacks Work
Minimizing the Risk of Physical Attacks
Preparing for a Physical Assessment
Can't Afford a Physical Security Assessment?
Chapter 9: Types of Training
Chapter 10: The Training Cycle
Adjusting Your Training Cycle
Chapter 11: Creating Simulated Phishing Attacks
Simulated Phishing Attacks
Understanding the Human Element
Open-source Tool, Commercial Tool, or Vendor Performed?
Selecting a Commercial Tool
Determine Attack Objective
Select a Type of Phishing Attack
Creating the Landing Page
Post Assessment Follow-up
Chapter 12: Bringing It All Together
Create a Security Awareness Website
Promoting Your Awareness Program
National Cyber Security Awareness Month
Chapter 13: Measuring Effectiveness
Building Your Presentation
Chapter 14: Stories from the Front Lines
Security Research at Large Information Security Company
Security Analyst at a Network Security Company
Appendix A: Government Resources
NIST Special Publication 800-16
NIST Special Publication 800-16 Appendix A-D
NIST Special Publication 800-16 Appendix E
Statement of Work Computer Security Awareness and Training: April 2000
NIST Special Publication 800-50: Building an Information Technology Security Awareness and Training Program
US Department of Health and Human Services: Security Awareness and Training
National Initiative for Cybersecurity Careers and Studies
NIH Information Security Awareness Course
National Cyber Security Awareness Month
Cyber Security Tips: US-CERT
Cyber Security Alerts: US-CERT
Information Security Awareness Training for Texas
Florida Department of Children and Families
Information Security Awareness Training Family Educational Rights and Privacy Act (FERPA)
Appendix B: Security Awareness Tips
Appendix C: Sample Policies
SANS: Information Security Policy Templates
Open-Source Security Awareness Training Resources
Appendix D: Commercial Security Awareness Training Resources
The Security Awareness Company
Kevin Mitnick Security Awareness Training: KnowBe4
The Roer Group: The Security Culture Company
Appendix E: Other Web Resources and Links
SANS: The Importance of Security Awareness Training
Schneier on Security: Security Awareness Training
Building a Security Awareness Program: Cyberguard
Security Awareness Toolbox: The Information Warfare Site
SANS Reading Room: Security Awareness Section
Security Awareness Posters
Cyber Security Awareness Challenge 2.0
Appendix F: Technical Tools That Can Be Used to Test Security Awareness Programs
Appendix G: The Security Awareness Training Framework
Taxonomy/Classification Team
Documentation/Artifact Team
Communications/Social Media Team
The History of the Security Awareness Training Framework
The Mission of the Security Awareness Training Framework
Understand How People Learn Information Security Awareness
Develop Feedback Mechanisms and Standardized Reporting Metrics
Appendix H: Building a Security Awareness Training Program Outline
Appendix I: State Security Breach Notification Laws
Appendix J: West Virginia State Breach Notification Laws, W.V. Code 46A-2A-101 ET SEQ
Appendix K: HIPAA Breach Notification Rule
Unsecured Protected Health Information and Guidance
Breach Notification Requirements
Notification by a Business Associate
Administrative Requirements and Burden of Proof
Instructions for Submitting Notice of a Breach to the Secretary
Breaches Affecting 500 or More Individuals
Breaches Affecting Fewer than 500 Individuals
Federal Trade Commission (FTC) Health Breach Notification Rule
Appendix L: Complying with the FTC Health Breach Notification Rule
Who's Covered by the Health Breach Notification Rule
You're not a Vendor of Personal Health Records If You're Covered by HIPAA
Third-Party Service Provider
What Triggers the Notification Requirement
What to Do If a Breach Occurs
Who You Must Notify and When You Must Notify Them
What Information to Include
Answers to Questions About the Health Breach Notification Rule
We're an HIPAA Business Associate, but We Also Offer Personal Health Record Services to the Public. Which Rule Applies to Us?
What's the Penalty for Violating the FTC Health Breach Notification Rule?
Law Enforcement Officials Have Asked Us to Delay Notifying People About the Breach. What Should We Do?
Where Can I Learn More About the FTC Health Breach Notification Rule? Visit www.ftc.gov/healthbreach.
Your Opportunity to Comment
Appendix L: Information Security Conferences
Appendix M: Recorded Presentations on How to Build an Information Security Awareness Program
Appendix N: Articles on How to Build an Information Security Awareness Program
Building an Information Security Awareness Program
:Defending Against Social Engineering and Technical Threats
Disclaimer: Any content in publications that violate the sovereignty, the constitution or regulations of the PRC is not accepted or approved by CNPIEC.
