Managing the Human Factor in Information Security- How to win over staff and influence businessmanagers
Buy Rights Online Buy Rights

Rights Contact Login For More Details

More About This Title Managing the Human Factor in Information Security- How to win over staff and influence businessmanagers


With the growth in social networking and the potential for larger and larger breaches of sensitive data,it is vital for all enterprises to ensure that computer users adhere to corporate policy and project staff design secure systems. Written by a security expert with more than 25 years' experience, this book examines how fundamental staff awareness is to establishing security and addresses such challenges as containing threats, managing politics, developing programs, and getting a business to buy into a security plan. Illustrated with real-world examples throughout, this is a must-have guide for security and IT professionals.


David Lacey is a leading authority on Information Security management with more than 25 years professional experience, gained in senior leadership roles in Royal Dutch/Shell Group, Royal Mail Group and the British Foreign & Commonwealth Office. David is now a freelance director, researcher, writer and a consultant to organisations, venture capitalists and technology companies. He also writes a leading blog on IT Security for Computer Weekly, the largest circulation UK technology magazine.


Acknowledgements xvii

Foreword xix

Introduction xxi

1 Power to the people 1

The power is out there . . . somewhere 1

An information-rich world 2

When in doubt, phone a friend 3

Engage with the public 4

The power of the blogosphere 4

The future of news 5

Leveraging new ideas 5

Changing the way we live 6

Transforming the political landscape 7

Network effects in business 8

Being there 9

Value in the digital age 9

Hidden value in networks 10

Network innovations create security challenges 12

You’ve been de-perimeterized! 14

The collapse of information management 15

The shifting focus of information security 15

The external perspective 17

A new world of openness 18

A new age of collaborative working 19

Collaboration-oriented architecture 20

Business in virtual worlds 21

Democracy . . . but not as we know it 22

Don’t lock down that network 23

The future of network security 24

Can we trust the data? 25

The art of disinformation 27

The future of knowledge 28

The next big security concern 30

Learning from networks 31

2 Everyone makes a difference 33

Where to focus your efforts 33

The view from the bridge 34

The role of the executive board 35

The new threat of data leakage 36

The perspective of business management 38

The role of the business manager 39

Engaging with business managers 40

The role of the IT function 41

Minding your partners 42

Computer users 43

Customers and citizens 44

Learning from stakeholders 44

3 There’s no such thing as an isolated incident 47

What lies beneath? 47

Accidents waiting to happen 48

No system is foolproof 49

Visibility is the key 49

A lesson from the safety field 50

Everyone makes mistakes 52

The science of error prevention 53

Swiss cheese and security 54

How significant was that event? 55

Events are for the record 56

When an event becomes an incident 57

The immediacy of emergencies 57

When disaster strikes 58

When events spiral out of control 58

How the response process changes 59

No two crises are the same 60

One size doesn’t fit all 61

The limits of planning 62

Some assets are irreplaceable 63

It’s the process, not the plan 63

Why crisis management is hard 64

Skills to manage a crisis 65

Dangerous detail 67

The missing piece of the jigsaw 67

Establish the real cause 68

Are you incubating a crisis? 69

When crisis management becomes the problem 70

Developing a crisis strategy 70

Turning threats into opportunities 71

Boosting market capitalization 72

Anticipating events 73

Anticipating opportunities 74

Designing crisis team structures 75

How many teams? 76

Who takes the lead? 77

Ideal team dynamics 77

Multi-agency teams 78

The perfect environment 79

The challenge of the virtual environment 80

Protocols for virtual team working 81

Exercising the crisis team 81

Learning from incidents 83

4 Zen and the art of risk management 85

East meetsWest 85

The nature of risks 86

Who invented risk management? 87

We could be so lucky 88

Components of risk 89

Gross or net risk? 90

Don’t lose sight of business 91

How big is your appetite? 92

It’s an emotional thing 93

In the eye of the beholder 94

What risk was that? 96

Living in the past 96

Who created that risk? 97

It’s not my problem 98

Size matters 99

Getting your sums right 99

Some facts are counterintuitive 101

The loaded dice 101

The answer is 42 103

It’s just an illusion 103

Context is king 104

Perception and reality 105

It’s a relative thing 107

Risk, what risk? 107

Something wicked this way comes 108

The black swan 109

Double jeopardy 110

What type of risk? 111

Lessons from the process industries 112

Lessons from cost engineering 113

Lessons from the financial sector 113

Lessons from the insurance field 115

The limits of percentage play 116

Operational risk 116

Joining up risk management 117

General or specific? 119

Identifying and ranking risks 120

Using checklists 122

Categories of risks 122

It’s a moving target 123

Comparing and ranking risks 124

Risk management strategies 125

Communicating risk appetite 126

Risk management maturity 127

There’s more to security than risk 128

It’s a decision support tool 129

The perils of risk assessment 130

Learning from risk management 131

5 Who can you trust? 133

An asset or a liability? 133

People are different 134

The rule of four 135

The need to conform 136

Understand your enemies 137

The face of the enemy 137

Run silent, run deep 138

Dreamers and charmers 139

The unfashionable hacker 140

The psychology of scams 142

Visitors are welcome 142

Where loyalties lie 144

Signs of disloyalty 144

The whistleblower 145

Stemming the leaks 146

Stamping out corruption 147

Know your staff 148

We know what you did 149

Reading between the lines 151

Liberty or death 153

Personality types 154

Personalities and crime 156

The dark triad 157

Cyberspace is less risky 157

Set a thief 159

It’s a glamour profession 160

There are easier ways 160

I just don’t believe it 161

Don’t lose that evidence 162

They had it coming 163

The science of investigation 164

The art of interrogation 165

Secure by design 167

Science and snake oil 167

The art of hypnosis 169

The power of suggestion 170

It’s just an illusion 171

It pays to cooperate 172

Artificial trust 173

Who are you? 173

How many identities? 175

Laws of identity 176

Learning from people 178

6 Managing organization culture and politics 181

When worlds collide 181

What is organization culture? 182

Organizations are different 184

Organizing for security 186

Tackling ‘localitis’ 186

Small is beautiful 187

In search of professionalism 188

Developing careers 190

Skills for information security 191

Information skills 192

Survival skills 194

Navigating the political minefield 195

Square pegs and round holes 196

What’s in a name? 197

Managing relationships 199

Exceeding expectations 200

Nasty or nice 201

In search of a healthy security culture 202

In search of a security mindset 204

Who influences decisions? 205

Dealing with diversity 206

Don’t take yes for an answer 207

Learning from organization culture and politics 208

7 Designing effective awareness programs 211

Requirements for change 211

Understanding the problem 212

Asking the right questions 213

The art of questionnaire design 214

Hitting the spot 215

Campaigns that work 216

Adapting to the audience 217

Memorable messages 218

Let’s play a game 220

The power of three 221

Creating an impact 222

What’s in a word? 224

Benefits not features 225

Using professional support 226

The art of technical writing 227

Marketing experts 228

Brand managers 229

Creative teams 230

The power of the external perspective 230

Managing the media 231

Behavioural psychologists 232

Blogging for security 233

Measuring your success 234

Learning to conduct campaigns 235

8 Transforming organization attitudes and behaviour 237

Changing mindsets 237

Reward beats punishment 238

Changing attitudes 240

Scenario planning 241

Successful uses of scenarios 242

Dangers of scenario planning 243

Images speak louder 244

A novel approach 245

The balance of consequences 245

The power of attribution 248

Environments shape behaviour 248

Enforcing the rules of the network 250

Encouraging business ethics 251

The art of on-line persuasion 251

Learning to change behaviour 252

9 Gaining executive board and business buy-in 255

Countering security fatigue 255

Money isn’t everything 256

What makes a good business case? 257

Aligning with investment appraisal criteria 257

Translating benefits into financial terms 258

Aligning with IT strategy 259

Achieving a decisive result 259

Key elements of a good business case 260

Assembling the business case 261

Identifying and assessing benefits 261

Something from nothing 263

Reducing project risks 263

Framing your recommendations 264

Mastering the pitch 264

Learning how to make the business case 266

10 Designing security systems that work 269

Why systems fail 269

Setting the vision 270

What makes a good vision? 270

Defining your mission 272

Building the strategy 274

Critical success factors for effective governance 275

The smart approach to governance 276

Don’t reinvent the wheel 276

Look for precedents from other fields 277

Take a top down approach 277

Start small, then extend 278

Take a strategic approach 278

Ask the bigger question 279

Identify and assess options 280

Risk assessment or prescriptive controls? 280

In a class of their own 282

Not all labels are the same 283

Guidance for technology and people 284

Designing long-lasting frameworks 285

Applying the fourth dimension 286

Do we have to do that? 287

Steal with caution 289

The golden triangle 290

Managing risks across outsourced supply chains 291

Models, frameworks and architectures 292

Why we need architecture 293

The folly of enterprise security architectures 294

Real-world security architecture 295

The 5Ws (and one H) 296

Occam’s Razor 297

Trust architectures 298

Secure by design 299

Jericho Forum principles 299

Collaboration-oriented architecture 300

Forwards not backwards 301

Capability maturity models 301

The power of metrics 302

Closing the loop 303

The importance of ergonomics 305

It’s more than ease of use 305

The failure of designs 306

Ergonomic methods 307

A nudge in the right direction 308

Learning to design systems that work 308

11 Harnessing the power of the organization 311

The power of networks 311

Surviving in a hostile world 311

Mobilizing the workforce 312

Work smarter, not harder 313

Finding a lever 313

The art of systems thinking 314

Creating virtuous circles 315

Triggering a tipping point 315

Identifying key influencers 316

In search of charisma 318

Understanding fashion 318

The power of context 319

The bigger me 320

The power of the herd 321

The wisdom of crowds 322

Unlimited resources – the power of open source 323

Unlimited purchasing power 324

Let the network to do the work 324

Why is everything getting more complex? 325

Getting to grips with complexity 327

Simple can’t control complex 327

Designing freedom 329

A process-free world 330

The power of expressive systems 331

Emergent behaviour 332

Why innovation is important 332

What is innovation? 333

What inspires people to create? 335

Just one idea is enough 335

The art of creative thinking 336

Yes, you can 336

Outside the box 337

Innovation environments 339

Turning ideas into action 339

Steps to innovation heaven 340

The road ahead 341

Mapping the future 342

Learning to harness the power of the organization 344

In conclusion 347

Bibliography 353

Index 357