The Weakest Link: How to Diagnose, Detect, and Defend Users from Phishing

An expert in cybersecurity lays out an evidence-based approach for assessing user cyber risk and achieving organizational cyber resilience.

Phishing is the single biggest threat to cybersecurity, persuading even experienced users to click on hyperlinks and attachments in emails that conceal malware. Phishing has been responsible for every major cyber breach, from the infamous Sony hack in 2014 to the 2017 hack of the Democratic National Committee and the more recent Colonial Pipleline breach. The cybersecurity community's response has been intensive user training (often followed by user blaming), which has proven completely ineffective: the hacks keep coming. In The Weakest Link, cybersecurity expert Arun Vishwanath offers a new, evidence-based approach for detecting and defending against phishing--an approach that doesn't rely on continual training and retraining but provides a way to diagnose user vulnerability.

Vishwanath explains how organizations can build a culture of cyber safety. He presents a Cyber Risk Survey (CRS) to help managers understand which users are at risk and why. Underlying CRS is the Suspicion, Cognition, Automaticity Model (SCAM), which specifies the user thoughts and actions that lead to either deception by or detection of phishing come-ons. He describes in detail how to implement these frameworks, discussing relevant insights from cognitive and behavioral science, and then presents case studies of organizations that have successfully deployed the CRS to achieve cyber resilience. These range from a growing wealth management company with twenty regional offices to a small Pennsylvania nonprofit with forty-five employees.

The Weakest Link will revolutionize the way managers approach cyber security, replacing the current one-size-fits-all methodology with a strategy that targets specific user vulnerabilities.

一位資安專家提出了一種基於證據的方法，用於評估使用者的網路風險並實現組織的網路強韌性。

釣魚攻擊是網路安全中最大的威脅，甚至能夠誘使有經驗的使用者點擊電子郵件中隱藏惡意軟體的超連結和附件。從2014年聲名狼藉的索尼駭客事件到2017年民主黨全國委員會的駭客事件，再到最近的Colonial Pipeline駭客事件，釣魚攻擊一直是每一次重大網路入侵的元兇。資安界的回應一直是進行密集的使用者培訓（通常還會對使用者進行指責），但這種方法已被證明完全無效：駭客攻擊仍然層出不窮。在《最薄弱的環節》中，資安專家Arun Vishwanath提供了一種新的、基於證據的方法來檢測和防禦釣魚攻擊，這種方法不依賴於持續的培訓和再培訓，而是提供了一種診斷使用者弱點的方式。

Vishwanath解釋了組織如何建立一種資安文化。他提出了一種「網路風險調查」（CRS），以幫助管理者了解哪些使用者存在風險以及原因。CRS的基礎是「懷疑、認知、自動化模型」（SCAM），該模型指定了使用者的思維和行為，這些思維和行為可能導致釣魚攻擊的欺騙或檢測。他詳細介紹了如何實施這些框架，並討論了認知和行為科學的相關見解，然後提供了一些成功應用CRS實現資安強韌性的組織案例研究。這些案例涵蓋了從擁有二十個地區辦事處的不斷發展的財富管理公司到擁有四十五名員工的賓夕法尼亞州非營利組織。

《最薄弱的環節》將徹底改變管理者對待資安的方式，取代目前的一刀切方法，以一種針對特定使用者弱點的策略來進行資安防護。

Arun Vishwanath, a leading expert in cybersecurity, has held faculty positions at the University at Buffalo, Indiana University, and the Berkman Klein Center for Internet & Society at Harvard University. He has written on human cyber vulnerability and related topics for CNN, the Washington Post, and other major media.

Arun Vishwanath，一位領先的資訊安全專家，曾在紐約州立大學水牛城分校、印第安納大學和哈佛大學柏克曼克萊因網絡與社會中心擔任教職。他曾為CNN、《華盛頓郵報》和其他主要媒體撰寫有關人類資訊安全弱點和相關主題的文章。