Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Sign up!
EnGarde Community
What is the most important Linux security technology?
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Latest Newsletters
Linux Security Week: March 30th, 2015
Linux Advisory Watch: March 27th, 2015
LinuxSecurity Newsletters
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

Robert Slade Review: "Information Security and Employee Behaviour" Print E-mail
User Rating:      How can I rate this item?
Book Reviews Excerpts:
"Chapter one addresses employee risk, and the fact that people assess risk very poorly..."

"The fact that security professionals are frequently perceived as problem-creating, rather than problem-solving, is hardly a surprise..."

Title Information Security and Employee Behaviour
Author Angus McIlwraith
Pages 169
ISBN 0-566-08647-6
Publisher Gower Publishing Limited
Edition 1st Edition
Price US $99.95

In the introduction, McIlwraith points out that security awareness training properly consists of communication, raising of issues, and encouragement to modify behaviour. (This will come as no surprise to those who recall the definition of training as the modification of attitudes and behaviour.) He also notes that security professionals frequently concentrate solely on presentation of problems. The remainder of the introduction looks at other major security activities, and the part that awareness plays in ensuring that they actually work.

Part one looks at a "framework for understanding." Chapter one addresses employee risk, and the fact that people assess risk very poorly. Issues such as whether the risk is controlled by the self or another, problems that are diffuse or dispersed, and immediacy all reduce our perception of the scale of the hazard. Other psychological reasons for poor decision-making are also examined. (There is also some explanation as to why security people get fixated on their field, and often over-emphasize minor problems.) This material definitely provides an understanding of the problem for anyone involved in security awareness, but unfortunately does not give equivalent solutions. The discussion of culture, in chapter two, describes a number of diverse corporate styles, with suggestions for the type of approach most likely to be effective in each. The fact that security professionals are frequently perceived as problem-creating, rather than problem-solving, is hardly a surprise, and so neither is chapter three. However, it does outline various reasons for this perception, which may give us insight into changes we could make. (I'm finishing off the security dictionary manuscript at the moment, and McIlwraith's comments on the jargon we use in security are definitely cringe- making.)

Part two moves into solutions. Chapter four outlines practical strategies and techniques. The author lists five major points: manage by facts and reality (rather than vague desires), have specific objectives (instead of just "we need training"), plan carefully, implement meticulously, and get real feedback on the results. Additional mechanisms for training success are discussed. Realistic assessment of the program (and the danger of simple metrics) is reviewed in chapter five. (I might take slight exception to McIlwraith's recommendation on rating scales: any use of odd-numbered scales tends to push responses into the middle.) Design of the delivery media for awareness materials is as important as the message, and chapter six provides useful advice for those of us who are stylistically challenged--which includes pretty much the entire technically-oriented clan.

McIlwraith's message is important. His writing is interesting and clear. His suggestions are useful. His book is recommended for anyone with either a specific obligation for awareness training, or overall responsibility for security management.

copyright Robert M. Slade, 2006

new file engine searchWritten by naeeo on 2008-10-24 15:16:00
I saw more of this staff at 

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

< Prev   Next >


Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2015 Guardian Digital, Inc. All rights reserved.