With the increase of ever-advancing technology, the field of information security has seemingly overlooked a crucial factor: humans. This book aims to address this lacuna by describing the role of human psychology with respect to securing information systems. At slightly more than 90 pages, it’s a short read aimed at a nontechnical audience.
It starts by explaining the basics of information security--confidentiality, integrity, and availability--and then moves on to a high-level overview of risk management principles. The author values the importance of socializing the underlying motives of information security risks with as many stakeholders as feasible, because only by aligning the security risks with other business risks can one reach an integrated approach to risk management. Gaining stakeholder support is essential to successfully implementing information security measures, especially as they can require a change of behavior that could be perceived as a burden by those affected.
Starting with chapter 5, the author moves into the field of information security governance, and provides cases where policies and procedures were merely papers collecting dust instead of being alive and truly helping to drive the various security initiatives. Being aware of the impact of information security policies on the end users is something that, while important for security professionals, is often driven by the number of complaints received from said end users. This reveals a lack of proactive thinking that would be needed to strengthen the security program.
The author brings up an interesting point regarding compliance: the security professional is inclined to accept noncompliance by end users as a sign to improve the security policies and procedures as opposed to disciplining the user who violates the rules. This sway to noncompliance is furthered by end users who feel there are no consequences to ignoring certain security rules--a catch-22 that is not easily resolved.
A possible way out of this is to engage in root cause analysis instead of focusing on symptoms of the problem: start with wondering why users are not complying, and then, through iterations of the why question, the ultimate underlying cause can be identified and subsequently addressed.
The last few chapters of the book focus on the psychology of compliance and creating a positive security culture. Quoting research that has shown users to take action if they perceive a benefit, the author applies this to the security field. He optimistically states that once an organization’s security systems favor compliance and its users are well educated, expensive architectural solutions will become obsolete.
Unfortunately, the author has not taken into consideration recent views that security should be transparent in the sense that users must be prevented from making mistakes. For example, despite the security training users receive, there will always be a percentage of users who still click on malicious links and thus get infected. Wouldn’t it be better to protect the users from such consequences by installing relevant technological solutions, such as evaluating suspected links in a sandbox environment?
But alas, those questions are not raised and the reader is left with the old mantra that involving users in security decisions will increase security, and the author limits himself to wishful thinking about the power of education. By contrast, the security guru Bruce Schneier wrote, back in March 2013, that in his view information security education is literally a “waste of time.”
Any security officer who faces a tight budget will have to make tough choices when allocating resources. It is unfortunate that the book does not include a more critical review of user education, especially since it addresses the psychology of information security. Still, readers who are aware of this concern will find ample information in this book, and the real-life examples scattered throughout the book make the material come to life.
More reviews about this item: Amazon
