Loading ...
Sorry, an error occurred while loading the content.

893REVIEW: "Managing the Human Factor in Information Security", David Lacey

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Han
    Aug 16, 2012
    • 0 Attachment
      BKMHFIIS.RVW 20120216

      "Managing the Human Factor in Information Security", David Lacey,
      2009, 978-0-470-72199-5, U$50.00/C$55.00/UK#29.99
      %A David Lacey
      %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8
      %D 2009
      %G 978-0-470-72199-5 0-470-72199-5
      %I John Wiley & Sons, Inc.
      %O U$50.00/C$55.00/UK#29.99 416-236-4433 fax: 416-236-4448
      %O http://www.amazon.com/exec/obidos/ASIN/0470721995/robsladesinterne
      %O http://www.amazon.ca/exec/obidos/ASIN/0470721995/robsladesin03-20
      %O Audience n- Tech 1 Writing 2 (see revfaq.htm for explanation)
      %P 374 p.
      %T "Managing the Human Factor in Information Security"

      The preface states that the intent of the book is to identify and
      explain the range of human, organizational, and social challenges when
      trying to manage security in the current information and
      communications environment. It is hoped this material will help
      manage incidents, risks, and design, and assist with promoting
      security systems to employees and management. A subsidiary aim is to
      leverage the use of social networking.

      Some aspects of security are mentioned among the indiscriminate
      stories in chapter one. Chapter two has more tales, with emphasis on
      risks, and different people you encounter. Generic incident response
      and business continuity material is in chapter three. When you know
      the risk management literature, you can see where the arguments in
      chapter four come from. (Yes, Donn, we know quantitative risk
      analysis is impossible.) The trouble is, Lacey makes all of them, and
      therefore comes to no conclusion. Chapter five has some points to
      make about different types of people, and dealing with them.
      Unfortunately, it's hard to extract the useful bits from the larding
      of stories and verbiage. (Given the haphazard nature of the content,
      making practical application would be even more difficult.) Aspects
      of corporate culture are discussed, in an unstructured fashion, in
      chapter six. Chapter seven notes a number of factors that have
      appeared in successful security awareness programs, but doesn't
      fulfill the promise of helping the reader design them. Chapter eight
      is about changing organizational attitudes, so it's an (equally
      random) extension of chapter six. It also adds some more items on
      training programs. Chapter nine is about building business cases.
      Generic advice on creating systems is provided in chapter ten. Some
      even broader advice on management is in chapter eleven. A collection
      of some points from throughout the book forms a "conclusion."

      There are good points in the book. There are points that would be
      good in one situation, and bad in another. There is little structure
      in the work to help you find useful material. There are stories about
      people, but not a survey of human factors. Lacey uses lots of
      aphorisms throughout the text. I am reminded of the proverb that if
      you can tell good advice from bad advice, you don't need any advice.

      copyright, Robert M. Slade 2012 BKMHFIIS.RVW 20120216

      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... slade@... rslade@...
      Verba volant, scripta manent
      Spoken words fly away, while written words stay on
      victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links