The Weakest Link
How to Diagnose, Detect, and Defend Users from Phishing
An expert in cybersecurity lays out an evidence-based approach for assessing user cyber risk and achieving organizational cyber resilience.
Phishing is the single biggest threat to cybersecurity, persuading even experienced users to click on hyperlinks and attachments in emails that conceal malware. Phishing has been responsible for every major cyber breach, from the infamous Sony hack in 2014 to the 2017 hack of the Democratic National Committee and the more recent Colonial Pipleline breach. The cybersecurity community's response has been intensive user training (often followed by user blaming), which has proven completely ineffective: the hacks keep coming. In The Weakest Link, cybersecurity expert Arun Vishwanath offers a new, evidence-based approach for detecting and defending against phishing—an approach that doesn't rely on continual training and retraining but provides a way to diagnose user vulnerability.
Vishwanath explains how organizations can build a culture of cyber safety. He presents a Cyber Risk Survey (CRS) to help managers understand which users are at risk and why. Underlying CRS is the Suspicion, Cognition, Automaticity Model (SCAM), which specifies the user thoughts and actions that lead to either deception by or detection of phishing come-ons. He describes in detail how to implement these frameworks, discussing relevant insights from cognitive and behavioral science, and then presents case studies of organizations that have successfully deployed the CRS to achieve cyber resilience. These range from a growing wealth management company with twenty regional offices to a small Pennsylvania nonprofit with forty-five employees.
The Weakest Link will revolutionize the way managers approach cyber security, replacing the current one-size-fits-all methodology with a strategy that targets specific user vulnerabilities.
"The Weakest Link is a much-needed antidote to the current fad of endless security awareness training. It offers an alternative based on actual evidence, one that puts user understanding at the start of the process and cyber-resilience at the end."
Bruce Schneier, author of Click Here to Kill Everybody: Security and Survival in a Hyperconnected World
“Phishing attacks won't be going away anytime soon. The Weakest Link gives a very actionable outline on how this problem can be addressed by any size organization. Focus especially on page 161 and follow that guide!”
Christopher Hadnagy, CEO of Social-Engineer, LLC, Founder of the Social-Engineering Framework, Author of Phishing Dark Waters and Human Hacking, Professor of Social Engineering at University of Arizona
“Practical, engaging, and well-grounded. Arun truly understands the human element and its position in a complex socio-technical world. This work is an exceptional window into decades of experience and knowledge.”
Si Pavitt, Head of Cyber Awareness, Behaviour, and Culture—UK Ministry of Defence
“A timely antidote to the 'just train people more' advice that pervades most approaches to the human side of cybersecurity. This book will help make your organization more cyber resilient!”
Joseph M. Hatfield, United States Naval Academy