Cybersecurity Canon Book Review: "Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors"

Posted: 
review

Book Written by Perry Carpenter
Book Reviewed by Ron Woerner and Ben Rothke

Bottom Line: 
In Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors, author Perry Carpenter provides new perspectives on security awareness based on psychology, marketing, human behavior, and storytelling. The term Transformational in the title is not a hyperbole. For those looking to ensure their user’s security behaviors are done in a secure manner, this is a great guide to take you there. This book’s unique approach and practical applications on influencing the right security behaviors makes it a highly recommended Cybersecurity Canon candidate. 

Review

Rothke writes: When Coolio sang these words in “Gangsta’s Paradise,” I doubt that he had information security awareness in mind: 
They say I gotta learn, but nobody's here to teach me
If they can't understand it, how can they reach me?
I guess they can't, I guess they won't
I guess they frontin’; that's why I know my life is out of luck, fool

While no one would accuse Coolio of being a pedagogue, the lyrics are quite applicable to the often-sorry state of information security awareness training. In "Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors (Wiley ISBN: 978-1-119-56634-2)," author Perry Carpenter has written an interesting work that addresses the weakest link in information security—that of the end-user.
The truth be told, it’s always easy to blame the end-user. However, the reality is that end-users make many mistakes when systems and interfaces are poorly designed. And they make security errors when they don’t have effective training.
When it comes to security awareness training, too many firms think that all they need to do is show their staff a boring PowerPoint and that they’ll somehow get the message. In the book, Carpenter pretty much throws out all of the old-school methods for security awareness and suggests much better methods to get the message across. In this valuable book, Carpenter shows the steps necessary to make information security awareness transform from a sleepy exercise to one that engages and informs all of the participants. 
Carpenter writes that for security awareness to be successful, a multidisciplinary approach must be taken. To that end, he brings many insights on how to effectively get the awareness message across. While too many people focus on cute images and memes for the awareness presentation, the book shows how there is much more to awareness than that. There are areas of psychology, culture, communications, and much more that must be integrated into the awareness program for it to be effective. 
At the beginning of chapter 3, Carpenter quotes Lance Spitzner of SANS, who noted that 80% of security awareness professionals have highly technical backgrounds. That shows that they understand the problem. However, if they don’t have the requisite communications and training skills, then the message of information security won’t get across. The rest of the book expands on that idea that for awareness to be effective, it has to be effectively thought out and implemented.
A large part of the process Carpenter tries to give over focuses on the notion of intentional focus. Unless the participants have this intentional focus on the content (and he spends much time on how to develop compelling content), then the awareness training will simply be a fruitless endeavor. 
For those who are serious and looking to develop an information security awareness program that works and resonates a compelling message, Carpenter has written a highly practical guide to show you how to do that. There are no shortcuts suggested. Instead, the reader is expected to do the necessary legwork and develop their own awareness program. 
The mark of a really good book is when after reading it you see that all of it makes sense. And this is indeed a really good book. The term Transformational in the title is not a hyperbole. For those looking to ensure their user’s security behaviors are done in a secure manner, this is a great guide to take you there.

Woerner writes: Why do we need security awareness actively practiced by people throughout an organization? Why is it such an important part of a mature security program? 
Many of us in the security industry already know why. It’s the idea that one weak link can cause a major security incident. What we don’t know is how to build an effective security awareness program that permeates throughout the organization starting at the very top with the CEO. 
In Perry Carpenter’s book, Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors (Wiley ISBN: 978-1-119-56634-2), you will learn tips and tricks to make an effective program that people value and that proactively prevents security events. By providing readers with actionable steps for building and sustaining security awareness programs, Carpenter gives us a resource worthy of being in the Cybersecurity Canon Hall of Fame. 
By starting with why we need security awareness as recommended by Carpenter, we can better understand what needs to be done and how to do it. Also, by beginning with the end in mine, we have a better vision for how to structure an impactful security awareness program where people feel they’re part of the solution rather than the problem. 
I recommend that approach with Transformational Security Awareness. To get the most value from it, don’t feel compelled to read it serially. Skim Chapter one to understand the “Why” of security awareness. Then jump ahead to Chapters 8 and 9 to best understand your destination. This help you map your security awareness journey from where you are to where you want to be.  In looking through the Table of Contents, you can next choose an area of security awareness where you’re struggling. 
The core of the book provides Tools of Transformation with actionable ideas for improving how we deliver impactful security awareness. To do that, we need to understand areas not normally considered part of a security professionals skillset: Marketing, Communications, Human Behavior, and Corporate Culture. 
•  Marketing and Communication – Chapter 3 explains how security leaders can best communicate their message to have an impact on all involved. Concepts explained in this chapter include “Seven Key Takeaways from the Communications Discipline," “The Sever P’s of Marketing,” and “the Power of Emotion.” Each of these are invaluable tools for anyone looking to influence others. 
•  Behavior Management – Chapter 4 reminds us that we’re all human. Rather than chastising our users for being human, we need to learn how to leverage it. Carpenter uses concepts such as Nobel Prize-winning psychologist Daniel Kahneman’s Thinking Fast and Slow to understand human thinking for more impactful security awareness. He also delivers concrete ways of debugging behaviors that may undermine a security campaign.  
•  Culture Management – Chapter 5 is a must-read for both business and security leaders who set the organization’s culture. Here the reader is given tools to start, shift and set security-aware beliefs, behaviors and values throughout an organization by leveraging security champions at all levels. 
•  What’s in a Modern Security Awareness Leaders Toolbox – Chapter 6 expands the number of instruments security leaders should use in their awareness programs. Here, Carpenter delivers both the methods and means for impactful security awareness through learning modules, micro-learning, events, and even day-to-day activities. If you’re security awareness program is struggling, this is the chapter for ideas on how to make it more robust. 
Throughout Transformational Security Awareness, Carpenter sprinkles valuable mental notes, resources, and thoughts from industry leaders to help the reader better understand how to apply security awareness within their organization. The culmination is a treasure-trove of ideas providing us with one of the better (if not the best) books on how-to deliver a successful security awareness program. For this reason, I recommend this book for the Cybersecurity Canon and as a top contender for their Hall of Fame. 

More Books

Navigating the Cybersecurity Career Path