Ebook People Centric Security Transforming Your Enterprise Security Culture PDF Full Chapter PDF

People-centric security : transforming
your enterprise security culture - eBook

PDF
Visit to download the full and correct content document:
https://ebooksecure.com/download/people-centric-security-transforming-your-enterpri
se-security-culture-ebook-pdf/
AppDev / People-Centric Security: Transforming Your Enterprise Security Culture / 677-8 / Front Matter
Blind Folio i
People-Centric
Security
Transforming Your Enterprise
Security Culture
Lance Hayden
New York Chicago San Francisco

Athens London Madrid Mexico City
Milan New Delhi Singapore Sydney Toronto
00-FM.indd 1 11/08/15 11:55 AM

Copyright © 2016 by McGraw-Hill Education. All rights reserved. Except as permitted under the United States Copyright Act of 1976,
no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system,
without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a
computer system, but they may not be reproduced for publication.
ISBN: 978-0-07-184679-0
MHID: 0-07-184679-4
The material in this eBook also appears in the print version of this title: ISBN: 978-0-07-184677-6,
MHID: 0-07-184677-8.
eBook conversion by codeMantra

Version 1.0
All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked
name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the
trademark. Where such designations appear in this book, they have been printed with initial caps.
McGraw-Hill Education eBooks are available at special quantity discounts to use as premiums and sales promotions or for use in
corporate training programs. To contact a representative, please visit the Contact Us page at www.mhprofessional.com.
Information has been obtained by McGraw-Hill Education from sources believed to be reliable. However, because of the possibility
of human or mechanical error by our sources, McGraw-Hill Education, or others, McGraw-Hill Education does not guarantee the
accuracy, adequacy, or completeness of any information and is not responsible for any errors or omissions or the results obtained from
the use of such information.
TERMS OF USE
This is a copyrighted work and McGraw-Hill Education and its licensors reserve all rights in and to the work. Use of this work is
subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the work,
you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit, distribute,
disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill Education’s prior consent. You may use the
work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may
be terminated if you fail to comply with these terms.
THE WORK IS PROVIDED “AS IS.” McGRAW-HILL EDUCATION AND ITS LICENSORS MAKE NO GUARANTEES OR
WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM
USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA
HYPERLINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR
PURPOSE. McGraw-Hill Education and its licensors do not warrant or guarantee that the functions contained in the work will meet your
requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill Education nor its licensors shall be liable
to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages resulting therefrom.
McGraw-Hill Education has no responsibility for the content of any information accessed through the work. Under no circumstances
shall McGraw-Hill Education and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar
damages that result from the use of or inability to use the work, even if any of them has been advised of the possibility of such
damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort
or otherwise.
Blind Folio iii
To Jayne and Wyatt, because everything.
00-FM.indd 3 11/08/15 11:55 AM

Blind Folio iv
About the Author

Dr. Lance Hayden is a managing director in the Technology Advisory Practice of BRG,
an international strategy and research firm. Dr. Hayden’s security career spans 25 years
across the public, private, and academic sectors. His interest in human security behaviors
and culture began while a HUMINT operations officer with the Central Intelligence
Agency, and continued in security roles at companies including KPMG, FedEx, and
Cisco. Dr. Hayden provides expert advice and consulting on information security strategy,
measurement, and culture to companies and governments around the globe. In addition
to People-Centric Security, he is the author of IT Security Metrics: A Practical Framework
for Measuring Security and Protecting Data, also from McGraw-Hill Education. Lance
received his PhD in information science from the University of Texas, where he also
teaches courses on security, privacy, and the intelligence community. He lives in Austin.
About the Technical Editor

David Phillips has been protecting clients’ IT systems for over 20 years, including
technical mitigation, information security risk programs, IT network security
architecture, and regulatory compliance. David developed a growing professional service
business inside a multinational networking corporation focused on cybersecurity,
protecting clients’ intellectual property and customer data, and securing networks to
allow for resilient IT infrastructure in the face of cyberattacks. His clients have included
multibillion-dollar businesses in the retail, finance, manufacturing, energy, and healthcare
verticals. David has worked with global enterprises to measure and mature their security
capabilities across people, process, and technology, spanning levels from technology
management to security awareness and security cultural transformation. David lives
outside of Austin, Texas.
00-FM.indd 4 11/08/15 11:55 AM

Contents at a Glance
Part I Understanding Your Security Culture
Chapter 1 Information Security: Adventures in Culture Hacking . . . . . . . . . . . . 3
Chapter 2 Strategy for Breakfast: The Hidden Power of Security Culture . . . . . . . 19
Chapter 3 Organizational Culture: A Primer . . . . . . . . . . . . . . . . . . . . . . . 39
Chapter 4 Cultural Threats and Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Part II Measuring Your Security Culture

Chapter 5 The Competing Security Cultures Framework . . . . . . . . . . . . . . . . . 81
Chapter 6 The Security Culture Diagnostic Survey (SCDS) .. . . . . . . . . . . . . . . 115
Chapter 7 Creating Culture Maps with the Security Culture Diagnostic Survey . . . . 139
Chapter 8 Implementing a Successful Security Culture Diagnostic Project . . . . . . . 159
Part III Transforming Your Security Culture

Chapter 9 From Diagnosis to Transformation:
Implementing People-Centric Security . . . . . . . . . . . . . . . . . . . . . 189
Chapter 10 Security FORCE: A Behavioral Model for People-Centric Security .. . . . . 201
Chapter 11 The Security Value of Failure . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Chapter 12 The Security Value of Operations . . . . . . . . . . . . . . . . . . . . . . . 239
Chapter 13 The Security Value of Resilience . . . . . . . . . . . . . . . . . . . . . . . . 263
Chapter 14 The Security Value of Complexity . . . . . . . . . . . . . . . . . . . . . . . 285
00-FM.indd 5 11/08/15 11:55 AM

vi People-Centric Security: Transforming Your Enterprise Security Culture
Chapter 15 The Security Value of Expertise . . . . . . . . . . . . . . . . . . . . . . . . 309
Chapter 16 Behavior and Culture: Mastering People-Centric Security . . . . . . . . . . 333
Chapter 17 Leadership, Power, and Influence in People-Centric Security . . . . . . . . 357
Chapter 18 Securing a People-Centric Future .. . . . . . . . . . . . . . . . . . . . . . . 369
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
00-FM.indd 6 11/08/15 11:55 AM

Contents
Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix
Part I Understanding Your Security Culture
Chapter 1 Information Security: Adventures in Culture Hacking . . . . . . . . . . . . 3

Burnt Bacon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Safe and Not Secure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
What Were You Thinking? .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Culture Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Software of the Mind . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
A Brief History of Culture Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Security Culture: Hack or Be Hacked . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Who’s Hacking Your Security Culture? .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Security, Hack Thyself . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Culture Hacks: The Good . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Culture Hacks: The Bad . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Culture Hacks: The Ugly .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Security Is People! .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Chapter 2 Strategy for Breakfast: The Hidden Power of Security Culture . . . . . . . 19

Why Security Fails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
We Start with a Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Warning Signs .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Doing More with Less . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Who Moved My Fence? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Look Out Below! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Getting the Drift .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
vii
00-FM.indd 7 11/08/15 11:55 AM

viii People-Centric Security: Transforming Your Enterprise Security Culture
The Opposite of Monoculture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Cultural Traits in Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Competing Values and Security Threats .. . . . . . . . . . . . . . . . . . . . . . . . . 34
The Change Agents of Security Culture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
The C-Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Security Awareness Teams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Security Researchers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Security Practitioners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Making Security Cultural . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Chapter 3 Organizational Culture: A Primer . . . . . . . . . . . . . . . . . . . . . . . 39

The Field of Organizational Culture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Origins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Outcomes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
The Culture Iceberg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Hidden Aspects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
People Powered . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
The Organizational Cultural/Organizational Performance Link . . . . . . . . . . . . . . . . . 47
Assessing and Measuring Culture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Qualitative vs. Quantitative Measurement of Culture .. . . . . . . . . . . . . . . . . . 49
Qualitative Measures and Techniques .. . . . . . . . . . . . . . . . . . . . . . . . . . 50
Culture by the Numbers .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Challenges of Cultural Transformation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
There’s No One Right Way to Change Culture .. . . . . . . . . . . . . . . . . . . . . . 54
You Have to Include Everybody .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
You Have to Build Consensus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
You Have to Evaluate the Outcomes . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
You Have to Have Good Leadership . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
An Ocean of Research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Chapter 4 Cultural Threats and Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Cultural Threat Modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Covert Processes and Cultural Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Getting to Know PEPL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Political Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Emotional Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
00-FM.indd 8 11/08/15 11:55 AM

Contents ix
Psychological Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Logistical Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Cultural Competition as a Source of Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Sizing Up the Competition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Part II Measuring Your Security Culture
Chapter 5 The Competing Security Cultures Framework .. . . . . . . . . . . . . . . . . 81

Measuring Security Culture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Quantitative Data and Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Qualitative Data and Analysis .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Combining the Qualitative and Quantitative . . . . . . . . . . . . . . . . . . . . . . . 88
Other Ways of Describing Culture .. . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
The Competing Security Cultures Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Origins of the CSCF in Competing Values Research . . . . . . . . . . . . . . . . . . . . 94
Adapting the Competing Values Framework to Security . . . . . . . . . . . . . . . . . 96
The CSCF Quadrants .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Overlapping and Competing Values .. . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Limitations of the Framework .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Why Not Just Use the Competing Values Framework? . . . . . . . . . . . . . . . . . . . . . . 102
Security Culture Benefits From a Targeted Approach . . . . . . . . . . . . . . . . . . . 102
Not Everything in the Competing Values Framework Translates Well .. . . . . . . . . . 103
Organizational Security Cultures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Process Culture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Compliance Culture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Autonomy Culture .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Trust Culture .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Chapter 6 The Security Culture Diagnostic Survey (SCDS) . . . . . . . . . . . . . . . . 115

SCDS Format and Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
How Surveys Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Questions in the SCDS .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
SCDS Scoring Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Scoring the SCDS Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
00-FM.indd 9 11/08/15 11:55 AM

x People-Centric Security: Transforming Your Enterprise Security Culture
Security Culture Diagnostic Strategies: Case Studies . . . . . . . . . . . . . . . . . . . . . . . 128

ABLE Manufacturing: Measuring an Existing Security Culture . . . . . . . . . . . . . . 128
CHARLIE Systems, Inc.: Comparing Security Cultures of Two Organizations . . . . . . . 133
DOG: Comparing Existing to Desired Security Culture . . . . . . . . . . . . . . . . . . 135
Chapter 7 Creating Culture Maps with the Security Culture Diagnostic Survey . . . . 139
Security Culture Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Mapping Security Culture Using the CSCF .. . . . . . . . . . . . . . . . . . . . . . . . 141
Composition of a SCDS-based Culture Map . . . . . . . . . . . . . . . . . . . . . . . . 143
Other Techniques for Mapping Security Culture .. . . . . . . . . . . . . . . . . . . . . 146
“When Should I Use Each Type of Map?” . . . . . . . . . . . . . . . . . . . . . . . . . 148
Mapping Specific Values and Activities . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Interpreting and Comparing Culture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Interpreting SCDS Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Comparing Cultures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Chapter 8 Implementing a Successful Security Culture Diagnostic Project . . . . . . . 159

Getting Buy-in for the Security Culture Diagnostic Project . . . . . . . . . . . . . . . . . . . . 160
Direct Benefits of Security Culture Improvement . . . . . . . . . . . . . . . . . . . . . 160
Estimating the Financial Impact of Security Culture . . . . . . . . . . . . . . . . . . . 162
Case Study: FOXTROT Integrators, Inc. . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Executing a Security Culture Diagnostic Project . . . . . . . . . . . . . . . . . . . . . . . . . . 170
1. Setting Up the Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
2. Collecting Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
3. Analyzing Responses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
4. Interpreting Culture and Communicating Results . . . . . . . . . . . . . . . . . . . 181
From Measurement to Transformation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Part III Transforming Your Security Culture
Chapter 9 From Diagnosis to Transformation: Implementing People-Centric Security . 189

Diagnosis and Transformation: One Coin, Two Sides . . . . . . . . . . . . . . . . . . . . . . . 190
The CSCF as a Framework for Understanding .. . . . . . . . . . . . . . . . . . . . . . 190
What Is the Framework for Transformation? . . . . . . . . . . . . . . . . . . . . . . . 191
Behavioral Models for Security Culture Transformation .. . . . . . . . . . . . . . . . . . . . . 192
Compliance and Control Regimes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Security Process Improvement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
00-FM.indd 10 11/08/15 11:55 AM

Contents xi
Technology and Automation Approaches . . . . . . . . . . . . . . . . . . . . . . . . . 196

Security Needs More Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Chapter 10 Security FORCE: A Behavioral Model for People-Centric Security . . . . . 201

Origins of Security FORCE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
HRO Research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
HROs in Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Introducing the Security FORCE Behavioral Model . . . . . . . . . . . . . . . . . . . . . . . . 208
Five Core Values of Security FORCE . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Security FORCE Value Behaviors and Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Security FORCE Value Behaviors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Security FORCE Value Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
The Culture–Behavior Link in HRSPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Chapter 11 The Security Value of Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

What Is the Security Value of Failure? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
“Failure Is Not an Option” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Reevaluating Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Embracing Failure .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Fail Small, Fail Fast, Fail Often . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Failure Key Value Behaviors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Anticipate Failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Seek Out Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Reward Problem Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Share Information About Failures .. . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Learn from Mistakes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Assessing Your Failure Value Behaviors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
The Security FORCE Survey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
The Security FORCE Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Improving Your Failure Value Behaviors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Embed the Security Value of Failure into People . . . . . . . . . . . . . . . . . . . . . 237
Reeducate People on What It Means to Fail . . . . . . . . . . . . . . . . . . . . . . . 237
Set Leadership Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Open Up Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
00-FM.indd 11 11/08/15 5:37 PM

xii People-Centric Security: Transforming Your Enterprise Security Culture
Chapter 12 The Security Value of Operations .. . . . . . . . . . . . . . . . . . . . . . . . 239

What Is the Security Value of Operations? . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Operational Power . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Sensitivity to Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Expectations and Reality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Operations Key Value Behaviors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Keep Your Eyes Open . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Form a Bigger Picture .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
“Listen” to the System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Test Expectations Against Reality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Share Operational Assessments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Assessing Your Operations Value Behaviors . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Scoring the Operations Value Behavior Survey . . . . . . . . . . . . . . . . . . . . . . 255
FORCE Value Metrics for Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Improving Your Operations Value Behaviors . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Embed Operations Value into the Security Program . . . . . . . . . . . . . . . . . . . 259
Think More Like Scientists .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Embrace the “Sharing Economy” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Lighten Up a Bit .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Chapter 13 The Security Value of Resilience . . . . . . . . . . . . . . . . . . . . . . . . . 263

What Is the Security Value of Resilience? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
When Bad Things Happen (to Good Organizations) . . . . . . . . . . . . . . . . . . . 264
Rolling with the Punches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
Imagining Failures and Disasters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Resilience Key Value Behaviors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Overtrain People . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Create “Skill Benches” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Actively Share Expertise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Encourage Stretch Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Practice Failing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Assessing Your Resilience Value Behaviors . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Scoring the Resilience Value Behavior Survey . . . . . . . . . . . . . . . . . . . . . . 278
FORCE Value Metrics for Resilience . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
00-FM.indd 12 11/08/15 11:55 AM

Contents xiii
Improving Your Resilience Value Behaviors . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281

Embed Resilience Value into the Security Program . . . . . . . . . . . . . . . . . . . . 282
“A Security Incident? I Want In!” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Make Security Incidents Mundane . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Chapter 14 The Security Value of Complexity . . . . . . . . . . . . . . . . . . . . . . . . 285

What Is the Security Value of Complexity? . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
Dumbing It Down . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Growing Uncertainty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Ignorance Is Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Complexity Key Value Behaviors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Don’t Oversimplify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Formalize Your Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Covet Empirical Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Share the Doubt .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Make Every Model Better . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Assessing Your Complexity Value Behaviors .. . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Scoring the Complexity Value Behavior Survey .. . . . . . . . . . . . . . . . . . . . . 301
FORCE Value Metrics for Complexity . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Improving Your Complexity Value Behaviors . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Embed Complexity Value into the Security Program . . . . . . . . . . . . . . . . . . . 305
Think Bigger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
Accept What We Already Know . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Chapter 15 The Security Value of Expertise .. . . . . . . . . . . . . . . . . . . . . . . . . 309

What Is the Security Value of Expertise? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Filter Your Water, Not Your Information . . . . . . . . . . . . . . . . . . . . . . . . . 311
Structural Authority vs. Structural Knowledge . . . . . . . . . . . . . . . . . . . . . . 312
Waiting for the Big One .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Expertise Key Value Behaviors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Ask the Experts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Suppress the Egos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Allow Authority to Migrate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
Share Credibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Reward Calls to Action and Cries for Help .. . . . . . . . . . . . . . . . . . . . . . . . 322
00-FM.indd 13 11/08/15 11:55 AM

xiv People-Centric Security: Transforming Your Enterprise Security Culture
Assessing Your Expertise Value Behaviors .. . . . . . . . . . . . . . . . . . . . . . . . . . . . 324

Scoring the Expertise Value Behavior Survey .. . . . . . . . . . . . . . . . . . . . . . 325
FORCE Value Metrics for Expertise . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Improving Your Expertise Value Behaviors . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Embed Expertise Value into the Security Program . . . . . . . . . . . . . . . . . . . . 329
Make Everyone a Sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Create Decision Fast Lanes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
Value Expertise from the Top Down .. . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Chapter 16 Behavior and Culture: Mastering People-Centric Security . . . . . . . . . . 333

What Does Security Culture Transformation Mean? .. . . . . . . . . . . . . . . . . . . . . . . 334
Describing Transformation in Terms of Cultural Capabilities Maturity . . . . . . . . . . 334
The Cultural Capabilities Maturity Model: Formalizing Cultural Maturity .. . . . . . . . 335
Supporting Security Culture Transformation with Security FORCE Projects . . . . . . . . . . . . 338
The Value of a Security FORCE Project . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Managing a Security FORCE Project .. . . . . . . . . . . . . . . . . . . . . . . . . . . 338
The Security FORCE Scorecard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
Scoring the FORCE Survey Questions, Revisited .. . . . . . . . . . . . . . . . . . . . . 341
Pooling Your FORCEs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Security FORCE Metrics and the FORCE Scorecard .. . . . . . . . . . . . . . . . . . . . 342
“Are We a Highly Reliable Security Program?” .. . . . . . . . . . . . . . . . . . . . . 343
CSCF and Security FORCE: Aligning Culture and Behavior in People-Centric Security . . . . . . . 347
Chaining Culture and Behavior Efforts . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Using the SCDS and FORCE Independently . . . . . . . . . . . . . . . . . . . . . . . . 349
General Alignments Between Security FORCE and the CSCF . . . . . . . . . . . . . . . 349
Taking Advantage of Cultural-Behavioral Alignments . . . . . . . . . . . . . . . . . . 353
Blending Security Culture Diagnostic and Security FORCE Projects
for Improved Cultural Maturity . . . . . . . . . . . . . . . . . . . . . . . . . ..... 355
Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..... 356
Chapter 17 Leadership, Power, and Influence in People-Centric Security . . . . . . . . 357

A Crisis of Leadership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
The CISO as a Business Leader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Business Leaders as Security Enablers . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Security Power Dynamics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
“What if I am not a CISO?” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
00-FM.indd 14 11/08/15 11:55 AM

Contents xv
Leadership in People-Centric Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364

You Don’t Lead Machines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Influence and Transformation .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Adapting the CSCF and Security FORCE Model to Leadership . . . . . . . . . . . . . . . . . . . 365
The CSCF, SCDS, and Cultural Leadership . . . . . . . . . . . . . . . . . . . . . . . . . 366
The Security FORCE Model and Behavioral Leadership . . . . . . . . . . . . . . . . . . 367
Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
Chapter 18 Securing a People-Centric Future . . . . . . . . . . . . . . . . . . . . . . . . . 369

The Security of Things . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
Social Security .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
As Many Securities as Things to Secure . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Framing People-Centric Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
Security Soft Power . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
Three Takeaways from the Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
Putting People-Centric Security to Work .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Two Models, One Goal .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
People-Centric Security Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
00-FM.indd 15 11/08/15 11:55 AM

This page intentionally left blank
Foreword
After having worked in information security for over 20 years, I have come to a
simple conclusion: unless we move beyond technology alone and start addressing
the human element, we are in a no-win situation. Technology is where every
organization should start when managing its cyber-risk, but technology can only
go so far. We have hit that point of diminishing return. We can no longer ignore
the human factor in information security. Lance’s book is a breath of fresh air. He
creates a new chapter in how organizations should manage their risk, not just at
the technical level but at a human level. What makes Lance’s book so powerful is
that he not only backs the book with tremendous research and academic studies,
but also brings in real-world application.
I first met Lance through his previous book, IT Security Metrics. It was one
of the few books I had found that attempted to measure the human side of
information security. He went beyond just hard numbers and acknowledged the
softer side of our world. Since then, I have been working with Lance and have
come to recognize and respect the unique traits he brings to our community.
As a PhD in social science, Lance brings academic rigor to our world, but even
better, he brings the skills necessary to understand how people and cultures
work. Combined with more than 25 years of real-world, global experience in the
information security field, his philosophy and practice bring immense wealth to
the security sector.
What I love most about this book is that anyone can read it. Lance helps
you understand what culture is and why it is an issue for information security,
ultimately providing a framework to manage and measure it. I hope you are as
excited as I am about this opportunity to both better understand a challenge we
all face and leave this book better armed to do something about it.
–Lance Spitzner
Research & Community Director, SANS Securing The Human
xvii
00-FM.indd 17 11/08/15 11:55 AM

Acknowledgments
A lot of people had a hand in making this book happen, both directly and
indirectly, and I want to try to acknowledge all of them. I owe so much to
Meghan, my editor at McGraw-Hill Education, who took a chance on an idea that
she believed in and fought for. There would be no book without her. I also want
to thank David, my friend and mentor for so many years. I like to tell my son that
he’ll have lived a fortunate life if he has a friend as good as David has been to me.
I am indebted to the entire team at McGraw-Hill Education, especially those
who supported getting this book out the door. Amy, Janet, Brandi, Jared, Bill, and
Anubhooti, you made this experience rewarding and challenging, and I can’t tell
you how thankful I am for your help and your insights. Thanks as well to the many
people behind the scenes at McGraw-Hill Education who I never got to know
personally, but who contributed their own efforts to this project. Big shout-outs
go to Lance Spitzner, for contributions of both words and deeds as I was putting
this book together. To Ira, who always gives me his honest opinion on everything,
which I value more than I tell him. To Ric, for walkabouts and conversations all
over the world. And to Ken, Mike, Pablo, Steve, and Troy, for being true friends
in good times and bad. Also my gratitude to Dr. Phil Doty, one of the smartest
people I have ever met, who first suggested I read Karl Weick all those years ago.
There is very little truly original knowledge in the world, and scholars and
researchers everywhere create new contributions by mining the efforts of others
who have gone before them. I am a prime example, and I want to acknowledge the
work and contributions of all the academics and practitioners cited, quoted, and
adapted in this book. Thank you so much for lending me such excellent shoulders
to stand upon as I looked around.
Finally, a dedication is not quite enough. My wife and son deserve the last
word. They gave me space and freedom, without complaint, to take on one of the
most consuming activities I have ever experienced. And they did it not once, but
twice. Thanks, you two.
xviii
00-FM.indd 18 11/08/15 11:55 AM

Introduction
The origins of this book are diverse. It comes from several different ideas I’ve
explored or been interested in over the years, ideas that traced their own individual
orbits inside my head and then gradually came together into a concept I felt
compelled to write about. I decided I wanted to write a book about security culture
not long after I finished my first book, IT Security Metrics. I didn’t call it “security
culture” at the time or think about in those terms. I just knew after I finished the
first book that I wasn’t actually finished.
A good friend commented to me after reading IT Security Metrics that he
thought one of my most important points was how valuable qualitative data and
measurement can be to information security programs. It made me glad to hear
him say that, because it was one of the reasons I had written the book in the
first place. I wanted to add something new to a conversation that was already
taking place in our industry. Having recently finished a dissertation in the social
sciences, one that relied on both quantitative and qualitative research methods,
I thought the security metrics literature was overemphasizing quantitative inquiry
and analysis and missing out on the value of qualitative approaches. Often,
security professionals I encountered criticized qualitative data and downplayed its
usefulness, but these same folks many times didn’t even use the term “qualitative”
correctly or understand how qualitative research actually works.
In IT Security Metrics, my advocacy for qualitative approaches was deliberately
gentle and conciliatory, toned down in the hopes that I might get some readers
interested but not alienate too many of them. I still gave quantitative approaches
top billing, which was fine. The book seemed to have the intended effect. Some
people wanted to explore qualitative information security metrics more deeply,
while those who did not could safely ignore those particular chapters.
In the years since I finished the first book, a lot of things have happened and
a lot of things have changed. Perhaps the two most impactful events as far as
People-Centric Security is concerned were a global financial crisis and a crisis of
confidence in the information security industry. The former has passed, although
we still feel its lingering aftermath, while we are still smack in the middle of
xix
00-FM.indd 19 11/08/15 11:55 AM

xx People-Centric Security: Transforming Your Enterprise Security Culture
the latter. In the case of the financial meltdown, a complex global system that had
become opaque and automated broke down as a direct result of irrational human
behavior. Safeguards that were meant to prevent such collapses didn’t work. In the
case of information security, a similarly complex global system that is also highly
dependent upon technology solutions seems to be breaking down. The collapse is
not as spectacular or compressed as the financial crisis was, but it still feels pretty
catastrophic when every week seems to bring news reports of millions of people’s
data being stolen, public accusations of spying and sabotage against governments
and criminal organizations alike, and trade conferences where the industry that
makes security products will be the first to tell you it has failed and that literally
everyone has already been successfully “owned” by the bad guys.
I found at the center of all these things interesting questions of complexity, of
the limits of technology solutions, and of the power of human behavior for good
and for bad. Society is becoming more technical and more social, each driving
and extending the other. Social networking, sharing economies, and the Internet
of Things (or Everything) promise to make our world more interconnected and
more complex than ever in human history. They also promise to make the idea of
people and machines being separate more meaningless than ever before. We’re
not exactly at the point where everyone becomes a cyborg, but in a world of
wearable technology, amazing prosthetics controlled by the user’s mind, and body
implants with embedded computing and Wi-Fi capabilities, the idea isn’t exactly
hyperbole.
What happens when you can no longer tell the human infrastructure from
the technology infrastructure? That’s a question that has as many philosophical
implications as practical ones. I’m not trying to address the philosophical
points in this book. But I am going to draw a bit of a line in the sand on the
practical side of the question, specifically the one that we face in information
security. Culture has long been a word associated with how a particular group of
people sees the world, including what that group believes and how those beliefs
influence the way the group lives. Culture functions at different levels, including
geographical, ethnological, and religious levels. Culture also functions at the level
of organizations, such as companies and governments, which are perhaps more
artificial and less organic than families, tribes, and religions, but which have come
to dominate our world just as much. The company I work for has a culture. So
does the information security industry. And those cultures, as much as anything
else, drive why people do what they do. Our culture has become technological,
so we have to understand technology to decipher it. But our technology has also
become cultural. If you want to know why a technology system succeeds or fails,
whether it be a financial system or an IT system, you have to also understand people.
00-FM.indd 20 11/08/15 11:55 AM

Introduction xxi
Which brings me, if in a roundabout way, to this book. InfoSec has always
preached the triad of “people, process, and technology” as essential for good,
effective security. My experience in the industry has been that technology always
comes first, followed by process when we can manage it, and people when we
get around to them. The main role people play in information security tends to
be that of a problem waiting to happen, an insider threat, a negligent user, or
just an annoyance to be automated out of existence as best we can. This book
is my attempt to invert that, to put people in the center of information security
programs and practices. Sometimes people will be threats, but more often they
will be the untapped resources with the solutions to many of security’s current
challenges. Thankfully, I’m not alone in believing that people-centric security is
the future. The security industry is beginning to realize that technology can only
take us so far. As InfoSec programs hit the point of diminishing returns on their
technology investments, they must look for other reserves of effectiveness and
value. I hope this book helps, in some way, to facilitate the realization of that value.
Who Should Read This Book?

I wrote this book for everyone who has ever wondered why, despite our best
efforts and most sophisticated technology solutions, information security seems
to be failing more now than ever. InfoSec has become so big and so dispersed
across different specializations and disciplines that there’s not really even a single
field anymore. We have information security, IT security, information assurance,
cybersecurity, and others all maybe referring to the same thing, but maybe not. As
an example, throughout this book I’ll refer to our field as information security, or
InfoSec for short, which is indicative of my own professional history, preferences,
and experience. At the leadership level, however, no matter what you call it, chief
information security officers (CISOs) have to run their programs as a business, in
partnership with other, non-security executives. At other levels, practitioners will
have their own preferences and opinions of what constitutes our field. Everyone has
their own concerns about the best way to protect the information assets that are
crucial to enterprise success. That being said, there are several groups I can mention
who might find value in ideas about how to measure and change security culture.
CISOs
I use “CISOs” as a catch-all to include any organization’s InfoSec leadership,
regardless of official title. If you’re in charge of managing security for your company,
00-FM.indd 21 11/08/15 11:55 AM

xxii People-Centric Security: Transforming Your Enterprise Security Culture
you are the chief no matter what your job title is. As leaders, CISOs are the
people best positioned to actually manage and change an organization’s culture,
including its information security culture. But you can’t manage what you can’t
measure, so having a way to analyze and articulate security culture becomes
central to impacting and improving it. The techniques and methods I lay out in
this book can give CISOs that analytical capability, enabling them to add InfoSec
culture to their strategic objectives and roadmaps.
Non-security Organizational Leadership

For every senior executive or board member who has struggled to understand
what a CISO is talking about or to make sense of the fear, uncertainty, and doubt
over security breaches bombarding them in the media, I hope this book helps to
break down how security professionals think. If you can understand what motivates
a person, you can find a way to work with them, to compromise for mutual benefit,
and to resolve conflicts before they become dangerous. This book talks a lot about
the competition between values and cultures within an organization, including
values and cultures outside of the InfoSec program. My sincere hope is that non-
security leaders and managers can use this book as a way to better understand
information security, and where the security team is coming from in terms of
values and priorities. Even better, maybe these same non-security professionals
will be better able to explain to security practitioners where everyone else in the
organization may be coming from, especially when those values and priorities clash.
InfoSec programs are often seen as impeding rather than enabling the business,
which leads to tension and conflict between stakeholders. This is, at heart, a cultural
challenge, one I hope this book can help people to overcome.
Training and Awareness Teams

In the book, I refer to security training and awareness teams as the “tip of the
spear” for cultural transformation in the industry today. I have a great deal of
respect for anyone who takes on the challenge of educating and mentoring others,
and when the subject is protecting and preserving an organization’s information
and technology assets, that challenge can be even greater, the stakes higher. This
book is not a training and awareness book, but the methods and tools provided in
the book can absolutely help security awareness programs. One major contributor
to security incidents and data breaches today is that we don’t include enough
human and organizational behaviors in our repertoires of risk. The frameworks
I offer here can help expand that knowledge base and give training teams more
options and more areas of focus with which to be successful.
00-FM.indd 22 11/08/15 11:55 AM

Introduction xxiii
Security Operations
Again, I talk about “security operations” generally, as a blanket reference to all the
people responsible for keeping the InfoSec program running. Whether you are
an analyst, an incident response manager, a developer, or some other information
security specialist, you are part of what creates and transmits your organization’s
security culture. That means you have power, even if it doesn’t always feel that way.
This book can help give information security professionals a language with
which to express what they do and why, and to communicate with others who
may not understand or agree with them. I don’t expect people to read this book
out of some appeal to the cliché that “everyone is responsible for information
security,” although that’s true. Instead, I would encourage you to read the book for
the most self-serving of reasons, namely to be able to justify why you do things a
certain way and to explain to others why they should give their support (financial,
political, time) to help you get them done. The most common question I get asked
by customers is if I can help them justify information security measures, activities,
and budgets to upper management. In my experience, senior business leaders
speak the language of culture and organizational behavior more fluently than they
speak the language of technology and security. This book can help translate the
cryptic dialect of InfoSec into speech that business stakeholders understand.
I have drawn on years of consulting experiences in developing the case studies

and stories in this book. Names, details, and circumstances have been altered to
protect the identities of specific organizations.
Companion Website
Accompanying this book are templates that you can use in your own organization
to transform your information security culture. To call your attention to these
templates, the Download icon has been included where these templates are
referenced throughout the book. These templates, as well as other resources on
organizational and InfoSec culture, are available to you for download from http://
lancehayden.net/culture. The templates are fully customizable so that you can use
them to their best effect within your organization.
A note on URLs. Throughout the book, I use only top-level URLs, even when
pointing readers to specific documents or web pages. This is deliberate. In this
age of e-books, a broken link can be troublesome, sometimes even resulting in
a book being made unavailable through some vendors. To avoid this problem,
I have avoided links that are more likely to change or die. In all cases, it should be
a simple matter to search the site I give in the link, or the Internet more generally,
for titles and authors. I apologize for any inconvenience this may cause.
00-FM.indd 23 11/08/15 5:34 PM

AppDev / People-Centric Security: Transforming Your Enterprise Security Culture / 677-8 / Chapter 1
PART
Understanding Your
I
Security Culture
01-ch01.indd 1 02/07/15 10:52 AM

CHAPTER
Information Security:
1
Adventures in Culture
Hacking
01-ch01.indd 3 02/07/15 10:52 AM

4 People-Centric Security: Transforming Your Enterprise Security Culture
Y
ou don’t have to go digging through technology news feeds for evidence
that the world of information security is in a state of crisis. Data breaches
are all over the mainstream media. Enormous in scale and frightening in
their implications, major security incidents seem to be happening with alarming
regularity. When it is not shady criminal hackers perpetrating the theft, we
worry that it might be a hostile government gearing up for a new kind of warfare,
or even our own government embracing a new age of Orwellian surveillance
possibilities. And the message that resonates from the pages of information
security industry magazines and websites to the keynote speeches of industry
conferences and the marketing brochures of product and services vendors is,
InfoSec is broken somehow—it doesn’t seem to work anymore.
Maybe. Society has undergone profound changes with the widespread adoption
of digital, networked information technologies. Some theorists speculate that
these changes are structural, representing not just new features of traditional
society, but new definitions of society itself. In this view, we are going through
changes like those that happened when human beings stopped being nomadic
and established agriculture and villages, or like the transformations that took
place during the Enlightenment, or as a result of the Industrial Revolution.
Such evolution means that everyone, including the information security industry,
better be ready for changes unlike anything we’ve previously experienced. Technology
has become social, centered around people, and information security must become
equally people-centric if it hopes to succeed. We not only have to do things better,
but we have to invent whole new ways of doing them. That means looking at things
that have traditionally made security experts, especially technologists and engineers,
uncomfortable. Things that are hard to measure or automate. Things like people,
including their beliefs and assumptions as much as their behavior. Things like
culture.
Burnt Bacon
I first realized the power of culture in information security a few years ago at a supplier
conference hosted by a customer. Dozens of reps from different vendors filled a
large hotel ballroom reserved by our host. After we had all grabbed our coffees and
sat down, the executive running the event called the meeting to order with a safety
briefing. He introduced us to our safety officer, let’s call him Bob, who also worked
for the customer. Bob was not an executive or even a manager. But before turning
over the microphone to Bob, the executive made it clear that, in terms of our physical
safety and security, for the next two days Bob might as well be the CEO.
01-ch01.indd 4 02/07/15 10:52 AM

Chapter 1: Information Security: Adventures in Culture Hacking 5
I had not expected the briefing, but I wasn’t very surprised. The company
running the conference operated in several hazardous industries and prided
itself on the “culture of safety” it instilled in employees. Bob spent about five
minutes running us through a review of safety protocols for the event, pointing
out all the exits, telling us which we should use in the event of an emergency, and
even declaring a rallying point across the street. Should something happen that
required us to leave the building, everyone was required to meet at the rallying
point for a headcount prior to returning or taking whatever other actions Bob
deemed appropriate. Once he had finished, Bob took his post at the back of the
ballroom and the day’s activities commenced.
I was surprised when we returned from the first day’s lunch break and the
executive again handed Bob the mike so that he could repeat the same briefing
we had listened to only four hours before. “Wow,” I thought. “These people take
safety seriously.” I had never experienced that kind of briefing before at any of my
own company’s meetings, much less two in the same day at the same event!
Coincidence is a funny thing. Just over an hour after our post-lunch briefing,
the hotel fire alarm began to wail. On reflex, everyone turned around to look
at Bob, who immediately slipped out of the room. Within a minute, the alarm
stopped. A minute or two later Bob returned with one of the hotel managers in
tow, who was obviously trying to explain something. I watched Bob shake his head
“no,” prompting the manager to leave. Ten minutes later, I was standing with my
fellow vendor representatives across the street as Bob took a head count.
We found out later that the manager had contacted Bob to tell him the fire
alarm had been triggered by a small grease fire in the kitchen, but that it had
been contained and posed no danger to our meeting. Bob had not bought the
explanation and had triggered an evacuation anyway. We were the only ones to
leave the hotel after the alarm, and we caught more than a few curious glances
from people passing by. Once Bob was satisfied everyone was present and that
the hotel was not actually on fire, he gave the all clear and we filed back into
our seats in the ballroom. Despite the minor nature of the fire and the fact that
unnecessarily evacuating had cost us nearly an hour of our packed schedule, the
executive never gave a hint of annoyance. Instead, he called us back to order by
spending another few minutes praising Bob’s decision and reminding us that,
for his company, safety came before anything else.
The second morning of the conference consisted of breakout sessions scattered
in smaller rooms throughout the hotel conference center, but they began only after
our morning safety briefing was complete. We broke again for lunch, and when we
returned to the ballroom in the afternoon, the executive was waiting for us. He was
not happy. Standing in front of the room, he held up one of the vendor packets
01-ch01.indd 5 02/07/15 10:52 AM

each of us had received at the start. Stamped “Highly Confidential” on every page,
the packets were the blueprints of the company’s forward-looking IT strategy,
including strategic competitive differentiators enabled by technology adoption.
Waving the packet slowly so that we all could see it, the executive chewed
us out, describing how the document he held had been discovered in one of
the empty breakout rooms during lunch, left there by someone in the room.
He explained with obvious irritation that such blatant disregard for protecting
sensitive corporate data was unacceptable, especially in a room that included
many information security professionals. If it happened again, he warned us,
there would be hell to pay. And with that, we started up again, beginning once
again with our mandatory safety briefing.
Safe and Not Secure

An important characteristic of culture is that it tends to be invisible, functioning
just below our conscious awareness of its influence. But that often changes when
we find our own cultural norms challenged, and suddenly we see patterns and
conflicts jumping out at us from the shadows. Take, for example, the stark contrast
between my customer’s safety culture, where the response to the possibility of an
incident brought all business to a stop and triggered emergency action plans, and the
customer’s security culture, where an actual security incident resulted in nothing
more than a stern talking-to. The two completely divergent responses to essentially
the same thing, a failure incident, made the differences between the safety and
security cultures of my customer stand out from one another like black and white.
“Wow,” I thought, “one of these things is not like the other.” It was astounding.
My customer believed they had a strong culture of safety. They also believed
they had a strong information security culture. But culture is defined by behaviors,
not beliefs. The completely different behaviors they exhibited between the two
incidents showed where their priorities really lay. Had the executive treated the
failure to secure sensitive information like Bob had treated a burnt rasher of
bacon, we would have stopped the proceedings immediately until he resolved the
problem. Instead of ordering an evacuation, he would have ordered everyone in
the room to hold up their vendor packets. The documents were controlled, and at
least one person would not have had one.
What Were You Thinking?

I found myself obsessing over the experience for the rest of the day. It distracted
me from focusing on the presentations and the interactive sessions. I was distant
01-ch01.indd 6 02/07/15 10:52 AM

and disengaged. Why had the executive just let that security incident slide so easily?
He had been visibly angry over it, but he could have done much more than scold
us. Was he worried about embarrassing people? Had the evacuation thrown us
so far off schedule that he was just trying to make up for lost time and not delay
the event further? Thinking that maybe he intended to follow up later and try to
track down the perpetrator some other way, I checked for unique identifiers on my
packet that could have tracked it back to me directly. I found nothing of the sort.
For a little while, I got depressed. I had traveled a long way to attend a meeting
that was all about how important security was to this company, only to watch a
senior executive get upstaged by a junior employee when it came to taking action in
the face of risk. The response to the security incident called into question the whole
purpose of the conference. If the company wasn’t going to take action when faced
with a security breach involving one of their own information security vendors, how
were they ever going to protect themselves from the real bad guys? It would all be
technology products and lip service. They didn’t care enough to make a real change.
I found myself thinking, “They should put Bob in charge of information security.”
Then I realized something else. I considered the real, physical harm that I knew
this company had seen as a result of lapses in workplace safety. People had been
injured on the job, had even died, in the decades that the firm had been working
in the industry. I knew the firm had also experienced information security
breaches in the past, but my impression was that these failures had rarely risen
above the level of a moderate inconvenience. People had a bad day, to be sure,
but at the end of it everyone went home safely. If the information security culture
was not as strong as the safety culture, it was because the world of information
security just didn’t feel as dangerous as the world of workplace safety. No matter
what they said, this company could not think about data security the same way
they thought about physical safety. Those cultures could exist side by side, but the
assumptions and beliefs that drive behavior, born of experience and observation,
were just not the same. I was fascinated and, once more able to focus on the
customer, made a mental promise to research the topic further.
So here we are.
Culture Hacking
This book is about culture. It is about understanding it and about transforming it.
You can even say it’s about hacking it. And when I say hacking, I mean hacking in
an old-school sense, the hacking that Steven Levy described in Hackers: Heroes of
the Computer Revolution. Before the term evolved (some might say devolved) into
01-ch01.indd 7 02/07/15 10:52 AM

today’s more familiar usage, with all its implied negativity and criminal inferences,
hacking described a process of gaining knowledge about a system by exploring
and deconstructing it. This knowledge would then be put to use to make that
system better, more innovative and elegant. The MIT hackers that Levy wrote
about dealt in computer software, the programs and digital code that define how
those systems function. But systems, code, and hacking don’t stop there.
Software of the Mind

Researchers and experts in organizational culture talk about their topic in ways
that would not be completely unfamiliar to computer engineers. There are many
frameworks and metaphors for describing organizational culture, but all converge
on the idea that culture is a shared set of norms, values, and routines that serves
to define how people behave together in organized group settings. If you have
ever started a new job, then you have probably experienced a cultural shift as you
had to learn how things were done at your new organization, and maybe some
of those things were completely foreign to you. But as you learned the ropes, as
the culture was transmitted to you and you became part of it, things that you had
to think about became automatic and unconscious behaviors. It’s almost like the
organization programmed you to function within it.
Geert Hofstede, one of the more influential scholars in the field, talks about
organizational culture in just this way. For Hofstede, culture is “software of the
mind” that allows individuals to align their thoughts, beliefs, and actions in order to
solve specific problems. Nowhere does Hofstede, or any other culture researchers I
am familiar with, claim that people are programmable in the same way computers
are. But these experts do look at organizations as complex systems that share
similarities with computers and networks.
By using metaphors drawn from software and computing, we can conceptualize
and identify means of understanding how culture can be observed, measured, and
changed. Thinking about organizational culture as a different kind of software,
with its own codes and programming techniques, makes the hacking analogy a lot
more applicable. In fact, the security industry already uses the analogy all the time
when talking about social engineering. The idea of hacking people is not new or
even very controversial in our industry. But social engineering has always focused
primarily on individuals, treating each potential victim as an independent system
that must be exploited. You can automate social engineering, as does an attacker
who conducts mass phishing attempts by using automated group e-mail tools, but
this only allows the attacker to target individuals more quickly and efficiently. It’s
simply a question of scale.
01-ch01.indd 8 02/07/15 10:52 AM

Hacking culture is different from hacking computers. It means understanding

and exploring the relationships between people, the drives and motivations that
cause many unique individuals to behave in very similar ways, as a group. Instead
of trying to affect the behavior of individual people making specific decisions,
a culture hacker is more interested in understanding and changing the entire
group’s behavior, by changing what that group thinks and believes. Part of hacking
is about elegance and efficiency, the ability to produce the greatest effect with the
least effort. If you focus on my individual behaviors, trying to change them one at
a time, you will be lost in an infinity of inputs and outputs. But if you are able to
understand and change my beliefs and assumptions, you will have tapped into the
programming that drives all my decisions.
Hacking a person’s belief systems may seem kind of creepy, and culture hacking
can certainly be put to evil uses. But hacking has never just been about breaking
into computer systems illegally or immorally for illicit gain. That’s a narrow
definition that has, unfortunately, come to be the most associated meaning of
the word, thanks to the media and, ironically enough, the security industry. But
hacking is much more than that, with a longer history than the one information
security has tried to impose on it. Culture hacking is similar. I didn’t invent the
concept, and it’s been around for a long time. I just believe it’s a very useful way to
think about the challenge of people-centric security.
A Brief History of Culture Hacking

The first people to call themselves culture hackers came from the worlds of activism,
fashion, and art. They wanted to shape the way the world looked at itself, to shake
up the status quo, and to pull the curtains back on people’s preconceived notions.
For Mike Myatt, a leadership expert and author, hacking in organizations involves
breaking down existing codes and complexity, finding alternatives, and replacing
out-of-date or inefficient processes. That’s old-school hacking.
Culture hacking is pre-digital, going back to practices like billboard jamming,
literally changing the messages on real-world roadside billboards from
advertisements to more ironic or anti-corporate messages. These techniques date
back to the 1970s, developing in parallel with phone phreaking and the beginning
of computer hacking. It wasn’t about stealing or defacing private property; it was
about retaking control of the system from those who had corrupted it, to make it
free again. This was the ’70s, remember.
Though it started out fueled by flower power, culture hacking has proven
remarkably resilient. As the world changed, so did the focus of the movement.
Culture hacking and technology merged with the creation of groups like the
01-ch01.indd 9 02/07/15 10:52 AM

Adbusters Media Foundation, which both uses and critiques digital technologies.
In 2011, Adbusters was central in creating the Occupy Wall Street movement.
Throughout its history, the mission of culture hackers was to reshape behavior by
targeting basic social programming, usually with an anti-authoritarian and anti-
corporate bias, just like many of the early computer hackers.
Whether or not you grok the whole anti-establishment theme, hacking (computers
or cultures) is a set of techniques and tools for exploring and deconstructing complex
systems for the express purpose of changing them, making them work differently,
evolving them. Depending on what side of the fence you are on, this can be a process
of innovation or a process of manipulation and abuse. But then again, you can say that
of just about any tool. A hammer can easily become a nasty weapon.
Security Culture: Hack or Be Hacked

I believe that culture is the single most important untapped resource for improving
information security today. Security is not a technology challenge. If it were,
technology would have fixed the problems a long time ago. Security is a people
challenge, a social and organizational challenge. It’s a cultural challenge.
People, and how to deal with them, seem to especially baffle information security
professionals, to the point where we have trouble even talking about the human
beings that make up our organizations as anything other than problems to be
dealt with, insider threats to be identified and managed, or risks to be mitigated,
preferably by automating them away. When we do think about people, we tend
to think of them as targets for attack or accidents waiting to happen. Steeped as
the industry is in a background of engineering and applied technology, we can be
deeply ambivalent about the qualitative, the emotional, or the political—in other
words, all the things that make up the organizational cultures in which information
security has to operate. Given the industry’s mistrust of people in general, it’s not
very surprising that the idea of people-centric security has taken a while to gain
traction.
The industry is changing, becoming more cognizant of the importance of
people to the successful protection of information assets and information supply
chains throughout the global digital economy. We’re not changing because we
have suddenly seen the light and developed a new appreciation for the chaotic
and irrational human networks we must secure. We’re changing, at least in part,
because we’ve tried everything else, it’s still not working, and we’re desperate.
And that’s okay. Sitting in my vendor conference, I had the epiphany that my hosts
didn’t take information security seriously because they had never experienced
any really serious problems related to it, certainly not like they had with physical
01-ch01.indd 10 02/07/15 10:52 AM

accidents and losses. I was sure that as soon as they did experience a catastrophic
information security event, they would attack the problem with the same
commitment and zeal that had created their impressively formidable safety culture.
Today’s information security environment is changing dramatically. Today you
either hack your own culture or you wait for someone to do it for (or to) you.
Who’s Hacking Your Security Culture?

Think for a moment about the culture hackers in your own security program.
They may not be immediately apparent. Your first thought might be the security
awareness team, if your organization has one. These brave souls are presently the
tip of the spear when it comes to security culture transformation, although we
will see in later chapters that the challenge they face is often impossibly idealistic.
But if you are looking for those folks beating the behavioral drum and trying to
change the way the entire company thinks about security, awareness teams are
top of mind.
Security awareness managers are probably not the only ones socially
engineering your organization’s security beliefs and practices. Think about
your auditors, for example. Audits, particularly those for regulatory or industry
standards like the Payment Card Industry Data Security Standard (PCI DSS)
or Sarbanes-Oxley, have a material effect on a company’s ability to do business.
Internal audit and compliance teams are responsible for making sure the company
doesn’t fail audits, and they do their best to transmit and instill certain beliefs
and rituals into the larger enterprise. A strong audit culture is unlikely to believe,
for instance, that documented processes are unnecessary or that every employee
should have complete access to every system in order to stay agile. Given the
importance of maintaining compliance, auditors also typically have the power to
reprogram the organization’s focus and activities, even if only temporarily.
Finally, think about the project manager or line manager who has no direct
responsibility for security but can reward or punish his employees based on their
job performance, through promotions and pay raises, or even by firing poor
performers. Every organization has priorities, and these do not always align. In
fact, they can compete directly, a situation we often see in information security as
a sort of Rubik’s Cube effect, in which improving one part of the problem makes
another part worse.
Imagine our project manager running a software development team working
on a new product. Bringing the project in on time and on budget is a major
priority for the company. So, too, is ensuring that the product does not have
01-ch01.indd 11 02/07/15 10:52 AM

security vulnerabilities. What happens when there is not enough time to do both?
For example, suppose a developer realizes she has seven days to finish her work
before deadline but that a full security review will take ten days. She could go to
her manager and tell him that she will complete the review, because security is a
priority, but that the project will be late to market. Her manager’s response will
be key. Whether he gives her praise, like Bob received when he put safety first
and evacuated over a minor incident, or punishes her with the loss of a bonus
or maybe even her job for delaying the project, he will show everyone what the
company values most. When that choice comes up again, everyone will know
what to do.
Now imagine that you are the security awareness manager for this example
firm, or another member of the security team. If the cultural bias is toward
deadlines, how can your values compete? Security awareness suddenly becomes
more complex than just making sure all the developers know the policies on
secure coding and testing. Our developer was already aware of her responsibility
for security. But if management rewards and punishes based on project deadlines,
or budgets, or some other factor, no amount of handwringing, training sessions,
or posters on the wall will change a developer’s empirical understanding that
security comes second. That’s cultural engineering.
Security, Hack Thyself

You don’t have to have a graduate degree in organizational psychology to become
a culture hacker, any more than you need one in computer science to become a
technology hacker. What you do need is a new way of looking at your organizational
environment and the people in it, which requires imagination and a willingness to
experiment. Technology hackers don’t let others tell them what the system can or
cannot do, but instead figure it out for themselves by exploring the system. If you
want to hack culture, you have to learn how the culture really works, not just what
everyone thinks or expects of it.
The closest this book gets to a manifesto—and a first principle that anyone
seeking to transform their security culture must become comfortable with—
concerns the role of people in information security. In a people-centric security
program, human beings matter every bit as much as technology, and probably
quite a bit more. Technology enables people, not the other way around. Technology
neither cares nor suffers if it is hacked or compromised, at least not yet. If you were
to throw every IT asset your company owns out the window tonight, tomorrow
morning when everyone shows up for work you would still have an organization.
01-ch01.indd 12 02/07/15 10:52 AM

Kick out all the people, on the other hand, and tomorrow you will have a warehouse
full of stuff with no one left to care about whether or not it’s secure.
Computer systems are immensely complicated, designed and built from
hardware and software, governed by extraordinarily intricate architectures and
millions of lines of programmatic code. For all that, computers have finite limits
to their capabilities. People define what computers can do, and they do only what
they have been programmed to do, even in situations where those possibilities are
not what the programmers expected or intended. There are always clear reasons for
a computer’s behavior, at least once you have tracked down those reasons to root
causes. But complexity is different. Complex systems produce emergent behaviors,
an infinite possibility of outcomes that is impossible to predict. Those behaviors
may not be consistent, or even rational. People and social systems are complex in
ways that a computer can never be just on its own. But plugging a computer into a
social system like a company or a government creates new avenues for complexity
and emergent behavior. People-centric security recognizes that focusing on
technology systems alone will always be a losing battle because technology-centric
security is invariably outflanked by emergent human behavior. The moment you
think you’re covering all the angles, someone will figure out how to square a circle
and produce four more new angles where none previously existed.
Hacking your security culture, as opposed to hacking your IT infrastructure,
means digging into the forces that motivate people’s security-related behaviors
within your organization. You have to analyze not only what your systems
do, but what people are doing with them, how they are adapting them to new
and innovative purposes. Some of these new uses will create risk, but also
opportunity. Culture defines the interface between users and systems. If you want
to transform your organization’s security culture, to make it better and more
efficient at protecting organizational assets, you have to pull apart the people
system as well as the process and technology systems, so that you know all of
them inside and out. It isn’t enough to just observe what people do, or do with the
technology at their disposal. You have to understand why they do it, and try to
consider all the possible alternative decisions they could have made, rather than
just the one that may seem obvious or expected.
In the years since I sat in that hotel conference room and realized the
differences between a culture of safety and a culture of security, I have observed
dozens of other organizations’ InfoSec cultures. Every one has had something
to teach me. Even when I cannot get a customer to think about culture as much
as I might like, they always manage to keep me thinking about it. And I can tell
you that culture hacking in the security space is a zesty enterprise, regardless of
whether the organization is even aware they are doing it.
01-ch01.indd 13 02/07/15 10:52 AM

Culture Hacks: The Good

It’s always great to work with an organization that takes culture seriously, without
discounting it as too vague or paying lip service to its importance but never really
trying to change it. I’ve even encountered a few organizations that embraced the
cultural transformation of information security full on, with all the messiness
and uncertainty that come with that sort of work. In the case of one particular
organization, I had come in to help them define a new enterprise security
framework, a governance program that would tie together all the disparate and
sometimes dysfunctional silos and pockets of security ownership that had grown
up organically over the life of the company. As we walked through the various
options for designing the new program, the security team kept trying to articulate
what they really were trying to achieve. They had needs and requirements that
spanned people, processes, and technology, and our conversations often got
specific and detailed on one or more desired outcomes, but nothing ever seemed
to completely hit the mark. “Yes,” they would say, “we need that. But we need
much more.”
The organization was intrigued by ISO 27001, the international standard for
security program management, and asked me a lot of questions about what I
thought of it. I told them I thought very highly of ISO 27001. When properly
and conscientiously implemented, ISO 27001 can function as a very powerful
governance framework, one that I also think happens to be the most people-
centric security standard out there today. I told my customer so.
“But ISO isn’t for everyone,” I cautioned. “It’s not about technology or even
controls. The standard is about changing what your whole organization thinks
and believes when it comes to information security. Implementing ISO to me is
about driving a process of cultural transformation in regard to security across the
entire enterprise.”
The team members’ eyes lit up. Eureka! That was exactly what they had
been struggling to articulate. They didn’t just want a new security program,
they wanted a whole new security culture. “We don’t want to just change the
mechanics,” they explained, “or to switch out one set of controls or one best
practices framework for another. We want to change what security means to
the company, and we want to change it for every single person who works here
regardless of rank or role.” Amen, I thought.
That’s a good culture hack, or at least the beginning of one. The security team
wanted to change behavior, but recognized that behavior grew out of something
deeper. That was where they wanted to concentrate their efforts. It helped that
01-ch01.indd 14 02/07/15 10:52 AM

the company was already a self-consciously strong culture. The idea of social
identity and shared beliefs permeated its business. The security team already had
a template and a language that were familiar to them. Believing in the power of
culture in general makes it a lot easier to see the benefits of improving security
culture in particular.
Culture Hacks: The Bad

Not every organization thinks in terms of transforming their information security
program or culture. Some security teams are so swamped just keeping on top of
operational activities and deadlines that thinking about why they do things the
way they do, or whether they could do them better, seems like a luxury. It’s hard
to think about a five-year improvement plan when the auditors are coming next
week. In fact, compliance drives so much security activity today that it’s probably
the main motivation companies have for taking security as seriously as they do.
ISO 27001 is a voluntary security standard, but most companies are dealing
with the nonvoluntary sort. PCI DSS for credit card processors, Sarbanes-Oxley
internal control requirements for publicly traded companies, HIPAA regulations
in healthcare, along with a slew of other local, national, and transnational
regulatory regimes may put constant demands on the attention of the Chief
Information Security Officer (CISO).
Security compliance efforts are a bit of an attempt at culture hacking
themselves. Regulators and industry groups develop compliance requirements
as a means of forcing organizations to take security more seriously. This is great
insofar as it improves the final product. But when compliance replaces security
as the goal, cultural transformation backfires. It’s like the old Zen warning not to
mistake the finger pointing at the moon for the moon itself. Compliance is not
the same thing as security, as has been made painfully clear by recent security
incidents where auditors had previously signed off on the very systems that ended
up being compromised.
I’ve observed more than one organization where the security culture has been
trained and conditioned by compliance programs to equate successful audits with
good security. Even when certain folks inside the organization know better—and
often these are the security operations people, who know how the sausage is
made, so to speak—the shared assumption is that if the auditors are happy, the
organization must be secure. That, too, is a form of cultural transformation, just
not a good one.
Culture hacks are bad when they make the system easier but don’t actually
solve the problem. Knowledge of the system is partial or incomplete, making
01-ch01.indd 15 02/07/15 10:52 AM

a culture hacker feel like they have accomplished something more than they
actually have. To extend the metaphor, those who put total faith in a one-size-fits-
all compliance checklist are like cultural script kiddies, interested more in quick
results than in deep and lasting change.
Culture Hacks: The Ugly

Even when the efforts at cultural change are unsophisticated or incomplete, the
people trying to change things usually have good intentions. Most security teams
are passionate about what they do and are deeply concerned with making their
systems safer and stronger. But there will always be outliers, individuals and
organizations whose security behaviors are so egregious that you almost have to
think they want to fail.
I visited an organization once where the security management team members
were some of the most arrogant jerks I had ever met. Even though I had been
hired to help them, they belittled and second-guessed everything I or my team
said. When we asked if they had a particular control or process, they would roll
their eyes. “Of course we have that,” was the answer. “That’s security 101. Is that
all you smart consultants can ask us?”
In the organization’s defense, it did have a formidable set of controls in place.
A lot of highly sensitive data passed through its systems, and the information
security team made it difficult within those systems to share the data without
jumping through administrative hoops. “We lock our people down tight,” senior
leaders bragged to us. “No one gets up to any funny business.”
When we moved on from the leadership and started interviewing employees
who were lower on the organizational chart, we asked about the intense levels of
control the organization had put in place. Many of our interview subjects grinned
at the questions, then told us stories of how much of a pain it was to share
information efficiently.
“Those senior guys you talked to,” one employee told us, “all have personal
webmail accounts they’ve set up. When they want to share things quickly, they
just bypass the controls and attach stuff to their personal e-mails and share it.”
We were shocked. “But they said you guys couldn’t do anything like that,” we
protested.
“Oh, sure. We can’t. They don’t trust us, and they think everyone who is not
a manager is an idiot. But it’s not a problem for them. That’s just the way things
work around here.”
01-ch01.indd 16 02/07/15 10:52 AM

Security Is People!
This book is about giving organizations and the people responsible for securing
them a new set of concepts and techniques. I’m not trying to replace technology
or process as effective tools that are needed in information security. But I am trying
to give people, the often neglected third leg of the people-process-technology triad,
their proper place. People-centric security means looking at the human element
of data protection as more than just another threat vector. People-centric security
implies that without people there is no security, nor any need for it. Process and
technology are there to support people, both from a security perspective and for the
entire organization. Nobody starts out with security but no information to protect.
Security needs are born when an organization’s information supply chain starts
producing valuable assets that demand protection. People define when that occurs,
people make protection happen, and people are responsible when security fails.
Culture acts as a powerful engine of organizational security, and in subsequent
chapters I’ll go into lots of detail about what culture is and how it drives human
behavior. But the core premise of everything that will follow is this: if you want
to really change how security works, you have to change the culture operating
beneath it. Just because security has struggled with the human equation in the
past doesn’t mean it must continue to baffle us in the future. In fact, it can’t. Our
world is social, and our technologies are increasingly social. Our security must
be social too, retirement puns notwithstanding. People-centric, then. Security is
people!
Further Reading
▶▶ Adbusters: Journal of the Mental Environment. Available at www.adbusters.org.
▶▶ Hofstede, Geert, Gert Jan Hofstede, and Michael Minkov. Cultures and
Organizations: Software of the Mind. 3rd ed. New York: McGraw-Hill, 2010.
▶▶ Levy, Steven. Hackers: Heroes of the Computer Revolution. 25th Anniversary
Edition. Sebastopol, CA: O’Reilly, 2010.
▶▶ Myatt, Michael. Hacking Leadership: The 11 Gaps Every Business Needs to
Close and the Secrets to Closing Them Quickly. Hoboken, NJ: Wiley, 2013.
01-ch01.indd 17 02/07/15 10:52 AM

CHAPTER
Strategy for Breakfast:

2
The Hidden Power of
Security Culture
19
02-ch02.indd 19 13/08/15 4:01 PM

F
or an industry that is so grounded in engineering and technology,
information security can appear quite unscientific to those outside of
the field. Your organization’s information security team can probably
inundate you with reams of data about security operations and posture, including
product performance benchmarks, security event logs, patches applied, and
events counted. But the industry struggles to satisfactorily answer the question
of why one organization’s security strategy seems to protect the organization,
while another’s efforts fail miserably. It’s almost like fate or the wrath of the
gods is involved. We seem to know everything about how information security
works except how it actually works. That is not because information security is
inherently mystical or more art than science. Security fails because strategy is not
enough. Management guru Peter Drucker summed up the problem in a phrase:
“culture eats strategy for breakfast.” Too often, security programs searching
for the reasons why they failed in their technology or their strategy are simply
looking in the wrong place for answers.
Why Security Fails

I have a presentation I often give to customers and deliver at industry conferences,
a thought exercise to demonstrate how security can fail even in the face of controls
and commitment to ensuring that it does not. It’s a naturally visual thought
experiment, but I’ll try to commit to something more narrative in the following
pages. You can find an actual video presentation at http://lancehayden.net/culture.
We Start with a Design

Suppose we want to build a new system, or maybe protect an existing one. It can
be a technology system or an organizational system, a machine or a corporate
process, or even a global financial system…it doesn’t matter. We begin with a
design for the system. In the case of a new system, we create that design. If the
system already exists, we may just document the existing design. However we
do it, we end up with something we’ll call System 1. Now, we may know only a
little about this system or a lot, but one thing we always know for certain is that
there are conditions under which the system will fail. We may not know exactly
when or how such failure will occur, but we know it is inevitable given the right
circumstances. We may, in some cases, be able to test for failure, but in many
other cases that won’t be possible. Failure in this system is like a cliff in the dark,
02-ch02.indd 20 13/08/15 4:01 PM

Another random document with
no related content on Scribd:
became J. M. L. & W. H. Scovill. J. M. L. Scovill did the selling and his
brother ran the shop and the finances. In 1850 the firm was incorporated
as the present Scovill Manufacturing Company.
Meantime, Aaron Benedict established, in 1812, a factory at Waterbury
for making bone and ivory buttons, and, in 1823, he too began making
brass buttons. About 1820 James Croft, a brass worker from
Birmingham, England, came to the Scovills. A year later Benedict
secured him, and when Benedict and Israel Coe formed the firm of
Benedict & Coe, in 1829, Croft became one of the partners. Croft’s
coming marks a vital point in the history of the industry. On his advice,
both Scovill and Benedict began to do their own rolling. It was his
influence which induced them to import from Birmingham workmen,
processes and machinery. He went to England seven times for Benedict,
and Israel Holmes went three times for Scovill to bring back English
machinery, rollers and finishers. Israel Coe also went to England when
the Wolcottville Brass Company was started.[198] From that time, the
business may be said to have passed the experimental stage, and its
growth from 1830 was rapid. William Lathrop, who has made a study of
it, has traced, perhaps better than any other, the coincident growth of the
market and the industry. The raw material was at first mainly scrap
copper, old ship sheathing, kettles, boilers and stills, collected by the
Connecticut peddlers. More and more copper was imported until after
1850 when the mining of western copper began developing. All of the
zinc was imported until about 1870.
[198] Lathrop, p. 89.
Figure 48. Hiram W. Hayden
Figure 49. Israel Holmes
At first they rolled brass only for their own use, but new demands for it
were arising. By 1840 Chauncey Jerome had developed the cheap brass
clock. The discovery and refining of petroleum created a lamp industry.
The pin machinery, invented by Dr. J. I. Howe, Fowler, and Slocum &
Jillson, opened up another great outlet. Daguerreotype plates gave
another, and metallic cartridges another, while the invention of the
telegraph enormously extended the use of copper wire. The Waterbury
men were best able to meet these new demands, as they were the only
ones in the country with the facilities and experience needed, and they
“got in first.” While the rolling and the drawing processes were imported
bodily from England, and have continued almost unchanged, Yankee
ingenuity was constantly at work devising new articles made of brass
and improving the machinery for making the old ones.
With the increasing demand, firms began to multiply. Israel Holmes,
who had been with the Scovills for ten years, started Holmes &
Hotchkiss in 1830, and with English workmen and machinery made wire
and tubing for the market. After several changes in partnership, the firm
became Brown & Elton in 1838. Meantime, Holmes, with Israel Coe,
Anson Phelps and John Hungerford, started the Wolcottville Brass
Company in 1834, in what is now Torrington. They built up a prosperous
business in sheet-brass kettles, but lost heavily when Hiram W. Hayden,
then with Scovill, invented the spinning process. Their property was
eventually sold to Lyman Coe, and became the Coe Brass Company.
The Waterbury Brass Company was started in 1845, with Holmes as
president. Associated with him were H. W. Hayden, Elton, and Lyman
Coe, son of Israel Coe. In 1853 Holmes founded Holmes, Booth &
Haydens,[199] and in 1869 Holmes, Booth & Atwood, which two years
later was forced to change its name to Plume & Atwood on account of its
resemblance to the older company.
[199] There were two Haydens in the firm, H. W. Hayden was in charge of the
manufacturing and H. H. Hayden in charge of marketing the product.
Israel Holmes stands out among the indomitable personalities who

built up the brass industry. In addition to his invaluable work for the
Scovills, he started five of the strongest firms in the valley, and was the
first president of three.
Benedict & Coe became Benedict & Burnham in 1834, and from this
firm has come the American Pin Company, the Waterbury Button
Company and the Waterbury Clock and Watch companies. Anson
Phelps soon withdrew from the Wolcottville Brass Company and started
Smith & Phelps at Derby in 1836. Encouraged by its success, Phelps
planned to organize a large manufacturing community there, but he was
held up by a man who raised the price of some necessary land from
$5,000 to $30,000, so he moved two miles up the river and founded what
is now the city of Ansonia. In 1854 the firm was incorporated as the
Ansonia Brass & Copper Company. Mr. George P. Cowles, who came
from Wolcottville in 1848, was its executive head for forty years until his
death. From it sprang the Ansonia Clock Company, of Brooklyn, Wallace
& Sons, which failed in 1896 and became part of the Coe Brass
Company, and a number of other companies. The Chase Rolling Mills
Company developed from the Waterbury Manufacturing Company,
Benedict & Burnham, and Holmes, Booth & Haydens. Randolph &
Clowes came down through Brown & Brothers, and Brown & Elton from
the old Holmes & Hotchkiss firm.
HENRY AARON BENEDICT,
ABEL PORTER &
GRILLEY, 1790 1812
CO., 1802
Pewter Buttons Bone and ivory buttons.
Begins making brass
Started making brass
buttons
ones 1823
LEAVENWORTH,
HAYDEN &
SCOVILL, 1811
Fred’k Leavenworth, BENEDICT & COE,
David Hayden, J. M. 1829
L. Scovill, James Aaron Benedict, Israel
Croft, Israel Holmes. Coe, Jas. Croft
J. M. L. & W. H. HOLMES &
SCOVILL, 1827 HOTCHKISS,
Israel Holmes, H. W. 1830
Hayden Israel Holmes,
Horace
Hotchkiss,
Philo Brown
Howe Mfg. Co., BENEDICT & WOLCOTTVILLE BRASS CO., 1834
Darby; Slocum & BURNHAM, 1834 Israel Coe, Israel Holmes, Anson G.
Jillson, A. & Chas. Phelps, John Hungerford, Geo. P. Cowles,
Poughkeepsie, N. Benedict, G. W. John Davol—Torrington, Conn.
Y., and Fowler Burnham,
Bros., A. S. Chase, F. A.
Northford, Ct., Mason, Geo.
developed Somers
successful pin
machinery
BROWN & ELTON,
1838
Philo Brown, J. P.
Elton—Sold to SMITH & PHELPS, 1836
Brown & Bros. and WATERBURY Anson G. Phelps, Geo. P.
Holmes, Booth & BUTTON Cowles,
Haydens CO., 1849 Thos. Wallace, Thos.
Davol organised James.
AMERICAN Brooklyn First at Derby—Co. founded
PIN CO., 1846 Brass & Copper at
Co. in 1853 Ansonia in 1844
WATERBURY HUMPHREYSVILLE
BRASS CO., COPPER CO., 1849
1845 Thos. James,
Israel WALLACE & Seymour, Ct.
Holmes, J. P. SON, 1848
Elton, H. W. Thos. Wallace—
Hayden, Co. failed in
Lyman W. 1895—Plant sold
Coe, son of to Coe Br.
Israel Coe Co. in 1896
SCOVILL MFG. NEW HAVEN
CO., 1850 COPPER CO., 1855
The Scovill Brothers, WATERBURY
F. J. CLOCK CO.,
Kingsbery, Sr. 1857
BROWN & BROS.,
1851 COE BRASS CO.,
Philo Brown— 1863
Failed in 1886. L. W. Coe, Chas.
Geo H. Clowes F. Brooker
HOLMES, BOOTH & ANSONIA BRASS & COPPER CO., 1854
HAYDENS, 1853 Anson Phelps, Geo. P. Cowles
Israel Holmes, G. W.
Burnham, A. S.
Chase,
L. J. Atwood
Holmes, Booth & BRIDGEPORT BRASS CO., ANSONIA CLOCK CO.,
Atwood, 1869. 1865 1878
Name changed to John Davol, F. A. Mason, Brooklyn, N. Y.
PLUME & Geo. Somers,
ATWOOD, 1871 F. J. Kingsbury, Jr.
Israel Holmes, J. C.
Booth, L. J. Atwood
WATERBURY MFG. WATERBURY WATCH CO.,
CO., 1876 1880
A. S. Chase, Henry CHASE ROLLING
S. Chase, Fredk. S. MILL CO., 1900
Chase Henry S. Chase, Fredk. S.
WATERBURY BRASS Chase
SEYMOUR-MFG.
GOODS
CO., 1878
CORPORATION
AMERICAN
RANDOLPH &
BRASS CO.,
CLOWES, 1886
1899 CHASE METAL WORKS, 1914
R. F. Randolph, Geo.
Chas. F.
H. Clowes
Brooker
Figure 50. Genealogy of the Naugatuck Brass Industry
The American Brass Company was formed in 1899, and now

comprises the Waterbury Brass Company, Holmes, Booth & Haydens,
Benedict & Burnham, the Coe Brass Company and the Ansonia Brass &
Copper Company. This is the largest brass company in the world.
Such, briefly, is an outline of the history of the larger companies. To an
outsider their interrelations are almost inextricable. The chart (Fig. 50)
does little more than indicate them. As phases of the business grew,
there was a clearly defined policy of setting them off as separate
enterprises. The American Pin Company, the Clock, Watch and Button
companies, and the Brass Goods Corporation are examples. Only the
more important of these manufacturing companies are shown. While
there has been at times sharp competition among them, it always
stopped short of war, and when facing outside competition the
companies pull together.
Many of the heavy stockholders, as Holmes, Elton, Burnham and
Chase, were interested in several companies. Nearly all of the leaders
were born and grew up in the valley and were full of local spirit. Israel
Coe, Holmes, the Scovill brothers and Phelps, of the earlier order, were
men of great ability, as also Lyman Coe, Cowles and Charles F. Brooker,
of the later generation. The inventions of Hiram W. Hayden vitally
affected the history of four companies. They seriously undermined the
old Wolcottville company, shut the Brooklyn Brass Company out of
important phases of its business, and built up the prosperity of the
Waterbury Brass Company, and Holmes, Booth & Haydens. L. J.
Atwood, of Holmes, Booth & Haydens, and, later, Plume & Atwood, L. S.
White, of Brown & Brothers, and W. N. Weeden, of Benedict & Burnham,
were prolific inventors, and their work contributed to the growth of the
industry.
Other influential men have built machinery for the large companies.
Almon Farrel founded the Farrel Foundry & Machine Company in 1851,
and had two establishments, one in Ansonia and one in Waterbury. The
Waterbury plant was operated for many years by E. C. Lewis as agent.
He bought it in 1880, but as a matter of sentiment retained the old name,
prefixing the word Waterbury. The two plants have come to specialize
somewhat, the Waterbury one building mainly presses and stamping
machines, and the Ansonia one rolling mills and heavy machinery. E. J.
Manville, an expert mechanic from the Pratt & Whitney shop in Hartford,
with his five sons, founded the E. J. Manville Machine Company, which
has built up a wide reputation for its presses and headers. Among the
many others are William Wallace of Wallace & Sons, Ansonia, Charles
Johnson and A. C. Campbell.
The answer, then, to our question as to origin and success of the
Naugatuck brass industry is as follows. It sprang from the local
manufacture of buttons. A small group of able, forceful and ingenious
men developed the best facilities in the country for rolling and drawing
brass, and when new demands came they were the only ones with
experience prepared to meet them. They were originally well situated for
raw material. Later they bought their copper in Baltimore. By the time
copper began coming from the West, the Waterbury companies were
firmly established. Copper is expensive, its unit of weight is the pound
and not the ton, and freight rates are far less important than with steel,
so the industry’s detached location did not outweigh the advantage of its
early start. A large force of workmen skilled in handling brass has been
developed in these factories and no large enterprise could now be
started elsewhere without drawing upon them. Many of these workmen
own their homes, and their relations with the employers have generally
been so friendly that higher wages elsewhere do not seem to attract
them.
Finally, and perhaps most important of all, are the men who have
designed and built the tools used. Connecticut leads all other states in
the ratio of patents to the population, and Waterbury has led the rest of
Connecticut in the proportion of nearly two to one. All the finishing or
“cutting up” shops, as they are locally known, contain highly developed
machinery—nearly all of it special, much of it designed and built in the
shop where it is used.
This includes machinery for making eyelets, hooks and eyes, pins,
cartridges, wire forming machinery, thread rolling, and headers and
stamping machinery. Some of these machines, as, for instance, the last
two mentioned, are more or less standard, but their tool equipment has
been wonderfully developed and is bewildering in its variety. Much of this
machinery has never been made public, and nearly all of it is too special,
too intricate and too varied for description here. It is natural, under these
circumstances, that the mechanics who developed these tools should be
comparatively little known. They have, however, been a vital element in
the Naugatuck brass industry, and should be recognized as successful
American tool builders.
CHAPTER XIX
PHILADELPHIA
Although the commercial manufacture of machinery began in New
England, Philadelphia became, and for a long time remained, the
largest tool building center in the country. Its large population and
nearness to coal, iron and tide water, made this almost inevitable,
but it was hastened by the work of two brilliant mechanics, William
Sellers and William Bement.
Bishop, in his “History of American Manufactures,”[200] says: “In
the invention and construction of machinery and instruments for
practical and scientific purposes, Philadelphia mechanics early
acquired a reputation for skill. The records of original American
invention contain few names more distinguished than those of
Godfrey, the inventor of the quadrant, of Rittenhouse, who made the
first telescope constructed in America, and whose orrery and other
scientific instruments displayed unusual mechanical and
mathematical genius; of Franklin, Evans, Fulton, Fitch, and others
whose inventive and constructive skill have added to the permanent
wealth of the State and the Union.” Of these, Oliver Evans seems to
have affected modern manufacturing methods the most.
[200] Vol. I, p. 576.
Evans was born in Delaware in 1755. He was apprenticed to a

wheelwright, and invented a card machine as early as 1777, but
never followed it up. In 1785 he built a flour mill in Newcastle County,
Del.; and, impatient at the crude methods in use, he began a series
of improvements which form the basis of the modern art of handling
materials. It has been claimed that Evans stole many of these ideas
from the Ellicotts in Maryland. This does not seem probable. Thomas
Ellicott wrote a portion of the “Millwright and Millers Guide” which
Evans published to help introduce his machinery, and in this Ellicott
himself refers to “the elevators, hopper-boys, etc., invented by Oliver
Evans, late of Delaware, though now of Philadelphia.” Evans
developed a number of closely related transporting devices about
which no question is raised and no claims on behalf of the Ellicotts
made; and many years later, in 1812, Evans sued those Ellicotts who
were then operating for infringement of his patents and obtained
judgment. If they could have proved priority it seems natural that
they would have done so.
Evans’ improvements related chiefly to the movement of materials
during the processes of manufacture. He modified the ancient
Egyptian chain of pots, used for irrigation, by using an endless belt
carrying iron buckets so arranged as to fill with dry material from a
boot at the bottom and to empty by gravity into a hopper as they
went over the head pulley. He used a belt conveyor for horizontal
movement, without however the troughing feature which is a later
improvement. When the discharge end was lowest, Evans utilized
gravity to drive it, and called it a “descender.” What Evans called a
“drill” was an “elevator laid horizontally” and provided with wooden
cleats which scraped the grain along the bottom of the box in which it
ran, and was nothing more nor less than our modern flight or scraper
conveyor. Evans’ “conveyor” was a round, wooden shaft on which he
nailed a sheet-iron spiral which pushed the grain along a trough in
which the shaft rotated; and when he wished to stir or dry the
material as he moved it, he broke up the continuous helix into a
number of separate arms arranged spirally. These of course
correspond to the modern screw conveyor. His so-called “hopper-
boy” consisted of a vertical shaft with a horizontal cross bar at its
lower end provided on its lower side with flights which spread the
meal for drying, and slowly worked it in a spiral toward a hopper at
the center. The angle of the flights was adjustable so that the time
allowed for cooling could be varied. He also used pivoted wooden
spouts at the discharge of the elevators to deliver the grain into
different bins. These improvements are said to have effected a
saving of over $30,000 a year in the Ellicott Mill at Patapsco, Md., on
an output of 325 barrels a day.[201] In his patents and various books
Evans shows nearly all of the modern transporting devices in
substantially their present forms.[202]
[201] Paper by Coleman Sellers on “Oliver Evans and his Inventions.”
Journal of the Franklin Institute, Vol. CXXII, p. 1.
[202] Sections of Evans’ mills are shown in the American Machinist of
November 7, 1907, and December 17, 1914. In both cases the conveyor
system was arranged to take material either from wagons on one side of the
mill or from boats on the opposite side.
Evans moved to Philadelphia some time prior to 1790. In 1800 he

had a mill near Third and Market Streets and the next year was
selling mill supplies at Ninth and Market Streets. As a boy he had
become interested in the steam engine. A description of the
Newcomen engine fell into his hands and he was struck with the fact
that the steam was used only to produce a vacuum and saw that
more power could be obtained if it were used to produce pressure.
After his removal to Philadelphia he made an engine 6 inches
diameter by 18 inches stroke, which was running in 1802, grinding
plaster of Paris and sawing wood. It cost, boiler and all, more than
$3700 and nearly impoverished him. Its successful operation,
however, led to an order for an engine to drive a steamboat on the
Mississippi, which was sent to New Orleans but never used for its
original purpose. The boat it was intended for had been stranded
high and dry during a flood, so the engine was set to running a saw
mill and later a cotton press. In 1803 Evans began business as a
regular engine builder and was unquestionably the first one in the
United States. He advocated long stroke engines operating under
high steam pressure, of which he had built fifty by 1816. In 1804 he
built a flat bottomed boat, fitted with a steam driven, chain bucket
dredge, which he called the “Oruktor Amphibolos” or in good English
the Amphibious Digger. It was built more than a mile from the river,
and was mounted on rollers connected with the engine. After moving
around what is now the City Hall Square each day for several days,
the boat walked out Market Street to the Schuykill and into the water;
its rollers were disconnected, a stern paddle wheel substituted, and it
steamed down the Schuykill and around up the Delaware to the city.
In 1805 he advertised a new book, “The Young Engineer’s Guide,”
which he intended to be very complete and “abstruse.” Disappointed
in his application for the extension of his patents and crippled by his
first engine ventures, he issued it much abridged, with only part of
the illustrations planned, and called it “The Abortion of the Young
Engineer’s Guide.” The proportions given in this book for one of his
steam engines were: diameter of cylinder, 20 inches; stroke, 5 feet;
steam pressure, 194 to 220 pounds. The boilers were of cast iron, 30
inches in diameter, 24 feet long, fired at one end, with a single return
flue. An engine was actually built to these proportions for the
Fairmount Water Works. It may be added that the boilers burst on
three different occasions.
In 1807 Evans was established as “Millwright and Engineer” at the
Mars Works at Ninth and Vine Streets. An old description of the plant
says that it consisted of
an iron foundry, mould-maker’s shop, steam engine manufactory, blacksmith’s
shop, and mill-stone manufactory, and a steam engine used for grinding materials
for the use of the works, and for turning and boring heavy cast or wrought iron
work. The buildings occupy one hundred and eighty-eight feet front and about
thirty-five workmen are daily employed. They manufacture all cast or wrought-iron
work for machinery for mills, for grinding grain or sawing timber; for forges, rolling
and slitting-mills, sugar-mills, apple-mills, bark-mills, &c. Pans of all dimensions
used by sugar-boilers, soap-boilers, &c. Screws of all sizes for cotton-presses,
tobacco-presses, paper-presses, cast iron gudgeons, and boxes for mills and
wagons, carriage-boxes, &c., and all kinds of small wheels and machinery for
Cotton and Wool spinning, &c. Mr. Evans also makes steam engines on improved
principles, invented and patented by the proprietor, which are more powerful and
less complicated, and cheaper than others; requiring less fuel, not more than one-
fiftieth part of the coals commonly used. The small one in use at the works is on
this improved principle, and it is of great use in facilitating the manufacture of
others. The proprietor has erected one of his improved steam engines in the town
of Pittsburg, and employed it to drive three pair of large millstones with all the
machinery for cleaning the grain, elevating, spreading, and stirring and cooling the
meal, gathering and bolting, &c., &c. The power is equal to twenty-four horses and
will do as much work as seventy-two horses in twenty-four hours; it would drive
five pair of six-feet millstones, and grind five hundred bushels of wheat in twenty-
four hours.[203]
[203] Freedley: “Philadelphia and its Manufactures,” pp. 54-55.
Philadelphia, 1858.
Incidentally the last sentence is an admirable illustration of the

origin of the term “horse power.” This business was carried on until
Evans’ death. It would be interesting to know how far he influenced
the design of Mississippi river boat engines which have retained the
proportions characteristic of the engines which he first built for that
service.
Evans’ best-known book, “The Young Millwright and Miller’s
Guide,” went through a number of editions and was translated and
published abroad. In this he gives his idea of “The True Path to
Inventions.” It is well worth quoting, as it explains, in part, his own
success as an inventor.
Necessity is called the mother of Invention—but upon inquiry we shall find that
Reason and Experiment bring them forth.—For almost all inventions have resulted
from such steps as the following:
Step I. Is to investigate the fundamental principles of the theory, and process, of
the art or manufacture we wish to improve.
II. To consider what is the best plan, in theory, that can be deduced from, or
founded on, those principles to produce the effect we desire.
III. To inquire whether the theory is already put in practice to the best advantage;
and what are the imperfections or disadvantages of the common process, and
what plans are likely to succeed better.
IV. To make experiments in practice, upon any plans that these speculative
reasonings may suggest, or lead to.—Any ingenious artist, taking the foregoing
steps, will probably be led to improvements on his own art: for we see by daily
experience that every art may be improved. It will, however, be in vain to attempt
improvements unless the mind be freed from prejudice, in favour of established
plans.[204]
[204] pp. 345-346.
Evans was certainly an independent, and probably the first,

inventor of the high pressure steam engine, a type of engine which
he saw was well suited to American pioneer conditions. He was
interested in steam locomotion, and predicted the development of
railways with singular accuracy.
The time will come when people will travel in stages moved by steam engines
from one city to another almost as fast as birds fly—fifteen to twenty miles an hour.
Passing through the air with such velocity—changing the scenes in such rapid
succession—will be the most exhilarating, delightful exercise. A carriage will set
out from Washington in the morning, and the passengers will breakfast at
Baltimore, dine at Philadelphia, and sup at New York the same day.
To accomplish this, two sets of railways will be laid so nearly level as not in any
place to deviate more than two degrees from a horizontal line, made of wood or
iron, on smooth paths of broken stone or gravel, with a rail to guide the carriages
so that they may pass each other in different directions and travel by night as well
as by day; and the passengers will sleep in these stages as comfortably as they do
now in steam stage-boats. A steam engine that will consume from one-quarter to
one-half a cord of wood will drive a carriage 180 miles in twelve hours, with twenty
or thirty passengers, and will not consume six gallons of water. The carriages will
not be overloaded with fuel or water.... And it shall come to pass that the memory
of those sordid and wicked wretches who oppose such improvements will be
execrated by every good man, as they ought to be now.
Posterity will not be able to discover why the Legislature or Congress did not
grant the inventor such protection as might have enabled him to put in operation
these great improvements sooner—he having asked neither money nor a
monopoly of any existing thing.[205]
[205] Evans: Extract from “Address to the people of the United States,”
quoted in the Journal of the Franklin Institute, Vol. CXXII, p. 13.
He practically initiated the modern science of handling materials.

While many of his theories were faulty, his mechanical practice was
seldom wrong. He was a restless man, discontented and inclined to
air his grievances in public. Once, in a fit of pique, he destroyed the
drawings and records of, it is said, more than eighty inventions—an
act which he regretted later. Though frequently disappointed, he was
in the end fairly successful, and was unquestionably one of the
foremost of the early American mechanics.
In Philadelphia, as in New England, many of the early shops made
textile machinery. Arkwright machines were built by James
Davenport at the Globe Mills at the north end of Second Street,
which Washington visited in 1797 when the new Federal
Government inaugurated its policy of developing American
industries. Davenport died soon after, the business ceased and the
factory was sold in 1798. Cotton machinery is said to have been
manufactured also by Eltonhead in 1803.
Philadelphia was then the largest city in the country, with an active
industrial life. It was natural, therefore, that the tools and methods
developed in and about Pawtucket should, sooner or later, take root
there. In 1810 Alfred Jenks, a direct descendant of Joseph Jenks, of
Lynn, having served his time with Samuel Slater in Pawtucket,
moved to Holmesburg, Pa., and started the first factory in
Pennsylvania for making textile machinery. His business grew rapidly
and in 1820 he moved to Bridesburg, now a part of Philadelphia,
bringing his shop along with him on rollers. By 1825 there were thirty
cotton mills in and about the city, most of which he had equipped. As
the demand for woolen machinery arose Jenks met it and he
equipped the first woolen mill built in the state. Under his leadership
and that of his son, Barton H. Jenks, the shop had a wide influence
and was the foremost of the early Philadelphia plants building textile
machinery. Other early shops in this field were those of J. & T. Wood,
Hindle & Sons, James Smith & Company, W. P. Uhlinger &
Company.[206]
[206] Freedley: “Philadelphia and its Manufactures,” pp. 299-302, 427.
Philadelphia, 1858.
The two plants which gave Philadelphia its great reputation for tool
building were those established by Sellers and Bement. Probably no
one has had a greater influence on machine tools in America than
William Sellers. He has been called the Whitworth of America, and
there is a singular parallelism in the work and influence of the two
men. Sellers was born in Pennsylvania in 1824, was educated in a
private school maintained by his father, and later apprenticed to his
uncle, John M. Poole, at Wilmington, Del.[207] When only twenty-one
he took charge of the machine shop of Fairbanks, Bancroft &
Company in Providence, R. I. Three years later he began the
manufacture of machine tools and mill gearing at Thirtieth and
Chestnut Streets, Philadelphia, and was soon after joined by Edward
Bancroft, who moved from Providence, the firm becoming Bancroft &
Sellers. John Sellers, Jr., a brother of William, became a partner and
in 1853 they moved to Sixteenth Street and Pennsylvania Avenue.
Mr. Bancroft died in 1855 and the firm became William Sellers &
Company, which was incorporated in 1886, with William Sellers as
president.
[207] Journal of the Franklin Institute, Vol. CLIX, pp. 365-383.
Bancroft was the inventive member of the firm and Mr. Sellers the
executive. Sellers’ designing ability did not develop until after
Bancroft’s death. His first patent was granted in 1857. In all he was
granted over ninety United States patents and many others in foreign
countries, covering a wide variety of subjects; machine tools of all
kinds, injectors which he introduced into the United States, rifling
machines, riveters, boilers, hydraulic machinery, hoisting cranes,
steam hammers and engines, ordnance, turntables, etc. One of the
best known and most original of Sellers’ machines was the spiral
geared planer patented in 1862, which has always been associated
with his name.
Almost from the first Sellers cut loose from the accepted designs
of the day. He was among the first to realize that red paint, beads
and mouldings, and architectural embellishments were false in
machine design. He introduced the “machine gray” paint which has
become universal; made the form of the machine follow the function
to be performed and freed it from all pockets and beading. Like
Bement he realized that American tools then being built were too
light; and they both put more metal into their machines than was the
practice elsewhere. From the first he adopted standards and
adhered to them so closely that repair parts can be supplied today
for machines made fifty years ago.
In April, 1864, Sellers, as president of the Franklin Institute, read a
paper on “A System of Screw Threads and Nuts,” in which he
proposed the system of screw threads since variously known as the
Sellers, Franklin Institute, or U. S. Standard.[208] They embodied the
sixty degree angle and a flat of one-eighth of the pitch at the top and
bottom of the thread. In this paper Sellers stated clearly the need for
some generally accepted standard, reviewed the various threads
then used, particularly the Whitworth thread, with its fifty-five degree
angle and rounded corners, which he disapproved of on three
grounds; first, that it was difficult to secure a fit at the top and bottom;
second, that the angle was difficult to verify; and third, the high cost
of making cutting tools which would conform accurately to the
standard. He proposed the sixty degree angle as easier to make and
already in general use in this country, and the flat top as easy to
generate and to verify. He went a step further, and proposed at the
same time a standard for bolt-heads and nuts, in which the
dimensions were derived from a simple formula and the distance
across flats was the same for square and hexagon nuts, so that the
same wrench would do for either style of nut.
[208] Journal of the Franklin Institute, Vol. LXXVII, p. 344.

Ebook People Centric Security Transforming Your Enterprise Security Culture PDF Full Chapter PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ebook People Centric Security Transforming Your Enterprise Security Culture PDF Full Chapter PDF

Uploaded by

Copyright:

Available Formats

People-centric security : transforming

your enterprise security culture - eBook

New York Chicago San Francisco

00-FM.indd 1 11/08/15 11:55 AM

eBook conversion by codeMantra

To Jayne and Wyatt, because everything.

00-FM.indd 3 11/08/15 11:55 AM

About the Author

About the Technical Editor

00-FM.indd 4 11/08/15 11:55 AM

Chapter 2 Strategy for Breakfast: The Hidden Power of Security Culture . . . . . . . 19

Chapter 3 Organizational Culture: A Primer . . . . . . . . . . . . . . . . . . . . . . . 39

Chapter 4 Cultural Threats and Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Part II Measuring Your Security Culture

Chapter 6 The Security Culture Diagnostic Survey (SCDS) .. . . . . . . . . . . . . . . 115

Chapter 8 Implementing a Successful Security Culture Diagnostic Project . . . . . . . 159

Part III Transforming Your Security Culture

Chapter 10 Security FORCE: A Behavioral Model for People-Centric Security .. . . . . 201

Chapter 11 The Security Value of Failure . . . . . . . . . . . . . . . . . . . . . . . . . . 219

Chapter 12 The Security Value of Operations . . . . . . . . . . . . . . . . . . . . . . . 239

Chapter 13 The Security Value of Resilience . . . . . . . . . . . . . . . . . . . . . . . . 263

Chapter 14 The Security Value of Complexity . . . . . . . . . . . . . . . . . . . . . . . 285

00-FM.indd 5 11/08/15 11:55 AM

vi People-Centric Security: Transforming Your Enterprise Security Culture

Chapter 15 The Security Value of Expertise . . . . . . . . . . . . . . . . . . . . . . . . 309

Chapter 16 Behavior and Culture: Mastering People-Centric Security . . . . . . . . . . 333

Chapter 17 Leadership, Power, and Influence in People-Centric Security . . . . . . . . 357

Chapter 18 Securing a People-Centric Future .. . . . . . . . . . . . . . . . . . . . . . . 369

00-FM.indd 6 11/08/15 11:55 AM

Part I Understanding Your Security Culture

Chapter 1 Information Security: Adventures in Culture Hacking . . . . . . . . . . . . 3

Chapter 2 Strategy for Breakfast: The Hidden Power of Security Culture . . . . . . . 19

00-FM.indd 7 11/08/15 11:55 AM

viii People-Centric Security: Transforming Your Enterprise Security Culture

The Opposite of Monoculture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Chapter 3 Organizational Culture: A Primer . . . . . . . . . . . . . . . . . . . . . . . 39

Chapter 4 Cultural Threats and Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

00-FM.indd 8 11/08/15 11:55 AM

Part II Measuring Your Security Culture

Chapter 5 The Competing Security Cultures Framework .. . . . . . . . . . . . . . . . . 81

Chapter 6 The Security Culture Diagnostic Survey (SCDS) . . . . . . . . . . . . . . . . 115

00-FM.indd 9 11/08/15 11:55 AM

x People-Centric Security: Transforming Your Enterprise Security Culture

Security Culture Diagnostic Strategies: Case Studies . . . . . . . . . . . . . . . . . . . . . . . 128

Chapter 8 Implementing a Successful Security Culture Diagnostic Project . . . . . . . 159

Part III Transforming Your Security Culture

Chapter 9 From Diagnosis to Transformation: Implementing People-Centric Security . 189

00-FM.indd 10 11/08/15 11:55 AM

Technology and Automation Approaches . . . . . . . . . . . . . . . . . . . . . . . . . 196

Chapter 10 Security FORCE: A Behavioral Model for People-Centric Security . . . . . 201

Chapter 11 The Security Value of Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

00-FM.indd 11 11/08/15 5:37 PM

xii People-Centric Security: Transforming Your Enterprise Security Culture

Chapter 12 The Security Value of Operations .. . . . . . . . . . . . . . . . . . . . . . . . 239

Chapter 13 The Security Value of Resilience . . . . . . . . . . . . . . . . . . . . . . . . . 263

00-FM.indd 12 11/08/15 11:55 AM

Improving Your Resilience Value Behaviors . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281

Chapter 14 The Security Value of Complexity . . . . . . . . . . . . . . . . . . . . . . . . 285

Chapter 15 The Security Value of Expertise .. . . . . . . . . . . . . . . . . . . . . . . . . 309

00-FM.indd 13 11/08/15 11:55 AM

xiv People-Centric Security: Transforming Your Enterprise Security Culture

Assessing Your Expertise Value Behaviors .. . . . . . . . . . . . . . . . . . . . . . . . . . . . 324

Chapter 16 Behavior and Culture: Mastering People-Centric Security . . . . . . . . . . 333