Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Information Security and Employee Behaviour", Angus McIlwraith

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Ha
    BKISEMBE.RVW 20060520 Information Security and Employee Behaviour , Angus McIlwraith, 2006, 0-566-08647-6, U$99.95 %A Angus McIlwraith
    Message 1 of 1 , Jun 15 11:39 AM
      BKISEMBE.RVW 20060520

      "Information Security and Employee Behaviour", Angus McIlwraith, 2006,
      0-566-08647-6, U$99.95
      %A Angus McIlwraith Angus.McIlwraith@...
      %C Suite 420, 101 Cherry Street, Burlington, VT 05401-4405 USA
      %D 2006
      %G 0-566-08647-6
      %I Gower Publishing Limited
      %O U$99.95 www.gowerpub.com info@...
      %O http://www.amazon.com/exec/obidos/ASIN/0566086476/robsladesinterne
      %O http://www.amazon.ca/exec/obidos/ASIN/0566086476/robsladesin03-20
      %O Audience i+ Tech 2 Writing 3 (see revfaq.htm for explanation)
      %P 169 p.
      %T "Information Security and Employee Behaviour"

      In the introduction, McIlwraith points out that security awareness
      training properly consists of communication, raising of issues, and
      encouragement to modify behaviour. (This will come as no surprise to
      those who recall the definition of training as the modification of
      attitudes and behaviour.) He also notes that security professionals
      frequently concentrate solely on presentation of problems. The
      remainder of the introduction looks at other major security
      activities, and the part that awareness plays in ensuring that they
      actually work.

      Part one looks at a "framework for understanding." Chapter one
      addresses employee risk, and the fact that people assess risk very
      poorly. Issues such as whether the risk is controlled by the self or
      another, problems that are diffuse or dispersed, and immediacy all
      reduce our perception of the scale of the hazard. Other psychological
      reasons for poor decision-making are also examined. (There is also
      some explanation as to why security people get fixated on their field,
      and often over-emphasize minor problems.) This material definitely
      provides an understanding of the problem for anyone involved in
      security awareness, but unfortunately does not give equivalent
      solutions. The discussion of culture, in chapter two, describes a
      number of diverse corporate styles, with suggestions for the type of
      approach most likely to be effective in each. The fact that security
      professionals are frequently perceived as problem-creating, rather
      than problem-solving, is hardly a surprise, and so neither is chapter
      three. However, it does outline various reasons for this perception,
      which may give us insight into changes we could make. (I'm finishing
      off the security dictionary manuscript at the moment, and McIlwraith's
      comments on the jargon we use in security are definitely cringe-

      Part two moves into solutions. Chapter four outlines practical
      strategies and techniques. The author lists five major points: manage
      by facts and reality (rather than vague desires), have specific
      objectives (instead of just "we need training"), plan carefully,
      implement meticulously, and get real feedback on the results.
      Additional mechanisms for training success are discussed. Realistic
      assessment of the program (and the danger of simple metrics) is
      reviewed in chapter five. (I might take slight exception to
      McIlwraith's recommendation on rating scales: any use of odd-numbered
      scales tends to push responses into the middle.) Design of the
      delivery media for awareness materials is as important as the message,
      and chapter six provides useful advice for those of us who are
      stylistically challenged--which includes pretty much the entire
      technically-oriented clan.

      McIlwraith's message is important. His writing is interesting and
      clear. His suggestions are useful. His book is recommended for
      anyone with either a specific obligation for awareness training, or
      overall responsibility for security management.

      copyright Robert M. Slade, 2006 BKISEMBE.RVW 20060520

      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... slade@... rslade@...
      So what we are generally trying to do is not really Risk
      Assessment, but Risk Justification. We don't want to reduce risk
      so much as justify why we are allowing our assets to be so
      exposed. - Bill Royds
      Dictionary Information Security www.syngress.com/catalog/?pid=4150
    Your message has been successfully submitted and would be delivered to recipients shortly.