Building an Information Security Awareness Program - 1st Edition - ISBN: 9780124199675, 9780124199811

Building an Information Security Awareness Program

1st Edition

Defending Against Social Engineering and Technical Threats

0.0 star rating Write a review
Authors: Bill Gardner Valerie Thomas
Paperback ISBN: 9780124199675
eBook ISBN: 9780124199811
Imprint: Syngress
Published Date: 7th August 2014
Page Count: 214
Sales tax will be calculated at check-out Price includes VAT/GST
Price includes VAT/GST

Institutional Subscription

Secure Checkout

Personal information is secured with SSL technology.

Free Shipping

Free global shipping
No minimum order.


The best defense against the increasing threat of social engineering attacks is Security Awareness Training to warn your organization's staff of the risk and educate them on how to protect your organization's data. Social engineering is not a new tactic, but Building an Security Awareness Program is the first book that shows you how to build a successful security awareness training program from the ground up.

Building an Security Awareness Program provides you with a sound technical basis for developing a new training program. The book also tells you the best ways to garner management support for implementing the program. Author Bill Gardner is one of the founding members of the Security Awareness Training Framework. Here, he walks you through the process of developing an engaging and successful training program for your organization that will help you and your staff defend your systems, networks, mobile devices, and data.

Forewords written by Dave Kennedy and Kevin Mitnick!

Key Features

  • The most practical guide to setting up a Security Awareness training program in your organization
  • Real world examples show you how cyber criminals commit their crimes, and what you can do to keep you and your data safe
  • Learn how to propose a new program to management, and what the benefits are to staff and your company
  • Find out about various types of training, the best training cycle to use, metrics for success, and methods for building an engaging and successful program


Information Security practitioners, and an academic audience among information security majors. Corporate sales potential for IT Managers looking to implement Security Awareness training in their organizations

Table of Contents

  • Dedications
  • Forewords
  • Preface
  • About the Authors
  • Acknowledgments
  • Chapter 1: What Is a Security Awareness Program?
    • Abstract
    • Introduction
    • Policy Development
    • Policy Enforcement
    • Cost Savings
    • Production Increases
    • Management Buy-In
  • Chapter 2: Threat
    • Abstract
    • The Motivations of Online Attackers
    • Money
    • Industrial Espionage/Trade Secrets
    • Hacktivism
    • Cyber War
    • Bragging Rights
  • Chapter 3: Cost of a Data Breach
    • Abstract
    • Ponemon Institute
    • HIPAA
    • The Payment Card Industry Data Security Standard (PCI DSS)
    • State Breach Notification Laws
  • Chapter 4: Most Attacks Are Targeted
    • Abstract
    • Targeted Attacks
    • Recent Targeted Attacks
    • Targeted Attacks Against Law Firms
    • Operation Shady RAT
    • Operation Aurora
    • Night Dragon
    • Watering Hole Attacks
    • Common Attack Vectors: Common Results
  • Chapter 5: Who Is Responsible for Security?
    • Abstract
    • Information Technology (IT) Staff
    • The Security Team
    • The Receptionist
    • The CEO
    • Accounting
    • The Mailroom/Copy Center
    • The Runner/Courier
    • Everyone Is Responsible For Security
  • Chapter 6: Why Current Programs Don't Work
    • Abstract
    • The Lecture is Dead as a Teaching Tool
  • Chapter 7: Social Engineering
    • Abstract
    • What is Social Engineering?
    • Who are Social Engineers?
    • Why Does It Work?
    • How Does It Work?
    • Information Gathering
    • Attack Planning and Execution
    • The Social Engineering Defensive Framework (SEDF)
    • Where Can I Learn More About Social Engineering?
  • Chapter 8: Physical Security
    • Abstract
    • What is Physical Security?
    • Physical Security Layers
    • Threats to Physical Security
    • Why Physical Security is Important to an Awareness Program
    • How Physical Attacks Work
    • Minimizing the Risk of Physical Attacks
  • Chapter 9: Types of Training
    • Abstract
    • Training Types
    • Formal Training
    • Informal Training
  • Chapter 10: The Training Cycle
    • Abstract
    • The Training Cycle
    • New Hire
    • Quarterly
    • Biannual
    • Continual
    • Point of Failure
    • Targeted Training
    • Sample Training Cycles
    • Adjusting Your Training Cycle
  • Chapter 11: Creating Simulated Phishing Attacks
    • Abstract
    • Simulated Phishing Attacks
    • Understanding the Human Element
    • Methodology
    • Open-Source Tool, Commercial Tool, or Vendor Performed?
    • Before You Begin
    • Determine Attack Objective
    • Select Recipients
    • Select a Type of Phishing Attack
    • Composing the E-mail
    • Creating the Landing Page
    • Sending the E-mail
    • Tracking Results
    • Post Assessment Follow-up
  • Chapter 12: Bringing It All Together
    • Abstract
    • Create a Security Awareness Website
    • Sample Plans
    • Promoting Your Awareness Program
  • Chapter 13: Measuring Effectiveness
    • Abstract
    • Measuring Effectiveness
    • Measurements vs. Metrics
    • Creating Metrics
    • Additional Measurements
    • Reporting Metrics
  • Chapter 14: Stories from the Front Lines
    • Abstract
    • Phil Grimes
    • Amanda Berlin
    • Jimmy Vo
    • Security Research at Large Information Security Company
    • Harry Regan
    • Tess Schrodinger
    • Security Analyst at a Network Security Company
    • Ernie Hayden
  • Appendices
    • Appendix A: Government Resources
    • Appendix B: Security Awareness Tips
    • Appendix C: Sample Policies
    • Appendix D: Commercial Security Awareness Training Resources
    • Appendix E: Other Web Resources and Links
    • Security Awareness Posters
    • Appendix F: Technical Tools That Can Be Used to Test Security Awareness Programs
    • Appendix G: The Security Awareness Training Framework
    • Appendix H: Building A Security Awareness Training Program Outline
    • Appendix I: State Security Breach Notification Laws
    • Appendix J: West Virginia State Breach Notification Laws, W.V. Code §§ 46A-2A-101 et seq
    • Appendix K: HIPAA Breach Notification Rule
    • Notification by a Business Associate
    • Federal Trade Commission (FTC) Health Breach Notification Rule
    • Appendix L: Complying with the FTC Health Breach Notification Rule
    • Who's Covered by the Health Breach Notification Rule
    • You're Not a Vendor of Personal Health Records If You're Covered by HIPAA
    • Third-Party Service Provider
    • What Triggers the Notification Requirement
    • What to do If a Breach Occurs
    • Who You Must Notify and When You Must Notify Them
    • How to Notify People
    • What Information to Include
    • Answers to Questions About the Health Breach Notification Rule
    • We’re an HIPAA Business Associate, But We Also Offer Personal Health Record Services to the Public. Which Rule Applies to Us?
    • What’s The Penalty for Violating the FTC Health Breach Notification Rule?
    • Law Enforcement Officials Have Asked us to Delay Notifying People About the Breach. Whatshould we Do?
    • Where Can I Learn More ABout the FTC Health Breach Notification Rule? Visit
    • Your Opportunity to Comment
    • Appendix L: Information Security Conferences
    • Appendix M: Recorded Presentations on How to Build an Information Security Awareness Program
    • Appendix N: Articles on How to Build an Information Security Awareness Program
  • Index


No. of pages:
© Syngress 2014
7th August 2014
Paperback ISBN:
eBook ISBN:

About the Author

Bill Gardner

Bill Gardner is an Assistant Professor at Marshall University, where he teaches information security and foundational technology courses in the Department of Integrated Science and Technology. He is also President and Principal Security Consultant at BlackRock Consulting. In addition, Bill is Vice President and Information Security Chair at the Appalachian Institute of Digital Evidence. AIDE is a non-profit organization that provides research and training for digital evidence professionals including attorneys, judges, law enforcement officers and information security practitioners in the private sector. Prior to joining the faculty at Marshall, Bill co-founded the Hack3rCon convention, and co-founded 304blogs, and he continues to serve as Vice President of 304Geeks. In addition, Bill is a founding member of the Security Awareness Training Framework, which will be a prime target audience for this book.

Affiliations and Expertise

Bill Gardner OSCP, i-Net+, Security+, Asst. Prof. at Marshall University

Valerie Thomas

Valerie Thomas is a Senior Information Security Consultant for Securicon LLC that specializes in social engineering and physical penetration testing. After obtaining her bachelor's degree in Electronic Engineering, Valerie led information security assessments for the Defense Information Systems Agency (DISA) before joining private industry. Her skill set also includes intrusion detection, endpoint protection, data loss prevention, and mobile security. Throughout her career, Valerie has conducted penetration tests, vulnerability assessments, compliance audits, and technical security training for executives, developers, and other security professionals.

Affiliations and Expertise

Valerie Thomas C|EH, Security+, Senior Security Consultant, Securicon LLC


"...a blueprint for creating a highly practical and effectiveness awareness programme that could do so much more to protect your organisation than tens of thousand of dollars spent on shiny new security hardware." --Network Security

"...a comprehensive introduction to the human factors that have an impact on the delivery of effective security, as well as practical proposals for the defense against social engineering and technical threats." --Computing Reviews

"I have been reading about this subject for a while now and, in my modest opinion, this is one of the best books out there covering it... every chapter holds some additional, practical information about each topic." --Help Net Security

Ratings and Reviews