"Managing the Human Factor in Information Security", David Lacey,
2009, 978-0-470-72199-5, U$50.00/C$55.00/UK#29.99
%A David Lacey
%C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8
%G 978-0-470-72199-5 0-470-72199-5
%I John Wiley & Sons, Inc.
%O U$50.00/C$55.00/UK#29.99 416-236-4433 fax: 416-236-4448
%O Audience n- Tech 1 Writing 2 (see revfaq.htm for explanation)
%P 374 p.
%T "Managing the Human Factor in Information Security"
The preface states that the intent of the book is to identify and
explain the range of human, organizational, and social challenges when
trying to manage security in the current information and
communications environment. It is hoped this material will help
manage incidents, risks, and design, and assist with promoting
security systems to employees and management. A subsidiary aim is to
leverage the use of social networking.
Some aspects of security are mentioned among the indiscriminate
stories in chapter one. Chapter two has more tales, with emphasis on
risks, and different people you encounter. Generic incident response
and business continuity material is in chapter three. When you know
the risk management literature, you can see where the arguments in
chapter four come from. (Yes, Donn, we know quantitative risk
analysis is impossible.) The trouble is, Lacey makes all of them, and
therefore comes to no conclusion. Chapter five has some points to
make about different types of people, and dealing with them.
Unfortunately, it's hard to extract the useful bits from the larding
of stories and verbiage. (Given the haphazard nature of the content,
making practical application would be even more difficult.) Aspects
of corporate culture are discussed, in an unstructured fashion, in
chapter six. Chapter seven notes a number of factors that have
appeared in successful security awareness programs, but doesn't
fulfill the promise of helping the reader design them. Chapter eight
is about changing organizational attitudes, so it's an (equally
random) extension of chapter six. It also adds some more items on
training programs. Chapter nine is about building business cases.
Generic advice on creating systems is provided in chapter ten. Some
even broader advice on management is in chapter eleven. A collection
of some points from throughout the book forms a "conclusion."
There are good points in the book. There are points that would be
good in one situation, and bad in another. There is little structure
in the work to help you find useful material. There are stories about
people, but not a survey of human factors. Lacey uses lots of
aphorisms throughout the text. I am reminded of the proverb that if
you can tell good advice from bad advice, you don't need any advice.
copyright, Robert M. Slade 2012 BKMHFIIS.RVW 20120216
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... slade@... rslade@...
Verba volant, scripta manent
Spoken words fly away, while written words stay on