Managing the Human Factor in Information Security: How to win over staff and influence business managers

“Computers do not commit crimes. People do.”
The biggest threat to information security is the “human factor”, the influence of people. Even the best people will make mistakes, cause breaches and create security weaknesses that enable criminals to steal, corrupt or manipulate systems and data. The explosion in social networking and mobile computing is intensifying this problem.
For the first time, this book brings together theories and methods which will help you to change and harness people’s security behaviour. It will help you to:Understand and manage major crises and riskAppreciate the nature of the insider threatNavigate organisation culture and politicsBuild better awareness programmesTransform user attitudes and behaviourGain Executive Board buy–inDesign management systems that really workHarness the power of your organisation
Based on the author’s own personal experience of working with large, complex organisations, such as Shell and Royal Mail, this book is written by an information security insider and makes essential reading for all information security professionals.
“We live in am age where social networks, collaborative working and community development are global and commonplace, redefining the role of information security. David takes a dry–as–dust elephant of a subject and expertly serves it up in edible, even tasty, morsels.” JP Rangaswami, Managing Director of BT Design.
“A highly entertaining read that will undoubtedly become essential reading for all security professionals.” Professor Fred Piper
“I’m really interested in reading this book and, frankly, once it’s published, I’ll be one of the first to buy it.” Dr. Eugene Schultz, High Tower Software

Spis treści:
Acknowledgements.
Foreword.
Introduction.
Chapter 1: Power to the people.
The po wer is out there – somewhere.
An information rich world.
When in doubt, phone a friend.
Engage with the public.
The power of the blogosphere.
The future of news.
Leveraging new ideas.
Changing the way we live.
Transforming the political landscape.
Network effects in business.
Being there.
Value in the digital age.
Hidden value in networks.
Network innovations create security challenges.
Youâ ve been de–perimeterized!
The collapse of information management.
The shifting focus of information security.
The external perspective.
A new world of openness.
A new age of collaborative working.
Collaboration oriented architecture.
Business in virtual worlds.
Democracy–but not as we know it.
Donâ t lock down that network.
The future of network security.
Can we trust the data?
The art of disinformation.
The future of knowledge.
The next big security concern.
Learning from networks.
Chapter 2: Everyone makes a difference.
Where to focus your efforts.
The view from the bridge.
The role of the executive board.
The new threat of data leakage.
The perspective of business management.
The role of the business manager.
Engaging with business managers.
The role of the IT function.
Minding your partners.
Computer users.
Customers and citizens.
Learning from stakeholders.
Chapter 3: Thereâ s no such thing as an isolated incident.
What lies beneath?
Accidents waiting to happen.
No system is foolproof.
Visibility is the key.
A lesson from the safety field.
Everyone makes mistakes.
The science of error prevention.
Swiss cheese and security.
How significant was that event?
Events are for the record.
When an event becomes an incident.
The immediacy of emergencies.
When disaster strikes.
When events spiral out of control.
How the response process changes.
No two cr ises are the same.
One size doesnâ t fit all.
The limits of planning.
Some assets are irreplaceable.
Itâ s the process, not the plan.
Why crisis management is hard.
Skills to manage a crisis.
Dangerous detail.
The missing piece of the jigsaw.
Establish the real cause.
Are you incubating a crisis?
When crisis management becomes the problem.
Developing crisis strategy.
Turning threats into opportunities.
Boosting market capitalization.
Anticipating events.
Anticipating opportunities.
Designing crisis team structures.
How many teams?
Who takes the lead?
Ideal team dynamics.
Multi–agency teams.
The perfect environment.
The challenge of the virtual environment.
Protocols for virtual team working.
Exercising the crisis team.
Learning from incidents.
Chapter 4: Zen and the art of risk management.
East meets West.
The nature of risks.
Who invented risk management?
We could be so lucky.
Components of risk.
Gross or net risk?
Donâ t lose sight of business.
How big is your appetite?
Itâ s an emotional thing.
In the eye of the beholder.
What risk was that?
Living in the past.
Who created that risk?
Itâ s not my problem.
Size matters.
Getting your sums right.
Some facts are counter–intuitive.
The loaded dice.
The answer is 42.
Itâ s just an illusion.
Context is king.
Perception and reality.
Itâ s a relative thing.
Risk, what risk?
Something wicked this way comes.
The black swan.
Double jeopardy.
What type of risk?
Lessons from the process industries.
Lessons from cost engineering.
Lessons from the financial sector.
Lessons from the insurance field.
The limits of percentage play.
Operational risk.
Joining up risk management.
General or specific?
Identifying and ranking risks.
Using checklists.
Categories of ris ks.
Itâ s a moving target.
Comparing and ranking risks.
Risk management strategies.
Communicating risk appetite.
Risk management maturity.
Thereâ s more to security than risk.
Itâ s a decision support tool.
The perils of risk assessment.
Learning from risk management.
Chapter 5: Who can you trust?
An asset or a liability?
People are different.
The rule of four.
The need to conform.
Understand your enemies.
The face of the enemy.
Run silent, run deep.
Dreamers and charmers.
The unfashionable hacker.
The psychology of scams.
Visitors are welcome.
Where loyalties lie.
Signs of disloyalty.
The whistleblower.
Stemming the leaks.
Stamping out corruption.
Know your staff.
We know what you did.
Reading between the lines.
Liberty or death.
Personality types.
Personalities and crime.
The dark triad.
Cyberspace is less risky.
Set a thief.
Itâ s a glamor profession.
There are easier ways.
I just donâ t believe it.
Donâ t lose that evidence.
They had it coming.
The science of investigation.
The art of interrogation.
Secure by design.
Science and snake oil.
The art of hypnosis.
The power of suggestion.
Itâ s just an illusion.
It pays to cooperate.
Artificial trust.
Who are you?
How many identities?
Laws of identity.
Learning from people.
Chapter 6: Managing organization culture and politics.
When worlds collide.
What is organization culture?
Organizations are different.
Organizing for security.
Tackling "localities".
Small is beautiful.
In search of professionalism.
Developing careers.
Skills for information security.
Information skills.
Survival skills.
Navigating the political minefield.
Square pegs and round holes.
Whatâ s in a name?
Managing relationships.
Exceeding expectations.
Nasty or