What do you think?
Rate this book
The Psychology of Information Security - Resolving conflicts between security compliance and human behaviour
Ensure the success of your security programme by understanding users' motivations
“This book cuts to the heart of many of the challenges in risk management, providing advice and tips from interviews as well as models that can be employed easily. Leron manages to do this without being patronising or prescriptive, making it an easy read with some very real practical takeaways.”
Thom Langford, Chief Information Security Officer at Publicis Groupe
“Based on real world examples the book provides valuable insights into the relationship of information security, compliance, business economics and decision theory. Drawing on interdisciplinary studies, commentary from the field and his own research Leron gives the reader the necessary background and practical tools to drive improvements in their own information security program.”
Daniel Schatz, Director for Threat & Vulnerability Management at Thomson Reuters
In today’s corporations, information security professionals have a lot on their plate. In the face of constantly evolving cyber threats they must comply with numerous laws and regulations, protect their company’s assets and mitigate risks to the furthest extent possible.
Security professionals can often be ignorant of the impact that implementing security policies in a vacuum can have on the end users’ core business activities. These end users are, in turn, often unaware of the risk they are exposing the organisation to. They may even feel justified in finding workarounds because they believe that the organisation values productivity over security. The end result is a conflict between the security team and the rest of the business, and increased, rather than reduced, risk.
This can be addressed by factoring in an individual’s perspective, knowledge and awareness, and a modern, flexible and adaptable information security approach. The aim of the security practice should be to correct employee misconceptions by understanding their motivations and working with the users rather than against them – after all, people are a company’s best assets.
Product description
Based on insights gained from academic research as well as interviews with UK-based security professionals from various sectors, The Psychology of Information Security – Resolving conflicts between security compliance and human behaviour explains the importance of careful risk management and how to align a security programme with wider business objectives, providing methods and techniques to engage stakeholders and encourage buy-in.
The Psychology of Information Security redresses the balance by considering information security from both viewpoints in order to gain insight into security issues relating to human behaviour , helping security professionals understand how a security culture that puts risk into context promotes compliance.
Contents
Chapter 1: Introduction to information security
Chapter 2: Risk management
Chapter 3: The complexity of risk management
Chapter 4: Stakeholders and communication
Chapter 5: Information security governance
Chapter 6: Problems with policies
Chapter 7: How security managers make decisions
Chapter 8: How users make decisions
Chapter 9: Security and usability
Chapter 10: Security culture
Chapter 11: The psychology of compliance
Chapter 12: Conclusion - Changing the approach to security
Appendix: Analogies
About the author
Leron Zinatullin (zinatullin.com) is an experienced risk consultant specialising in cyber security strategy, management and delivery.
“This book cuts to the heart of many of the challenges in risk management, providing advice and tips from interviews as well as models that can be employed easily. Leron manages to do this without being patronising or prescriptive, making it an easy read with some very real practical takeaways.”
Thom Langford, Chief Information Security Officer at Publicis Groupe
“Based on real world examples the book provides valuable insights into the relationship of information security, compliance, business economics and decision theory. Drawing on interdisciplinary studies, commentary from the field and his own research Leron gives the reader the necessary background and practical tools to drive improvements in their own information security program.”
Daniel Schatz, Director for Threat & Vulnerability Management at Thomson Reuters
In today’s corporations, information security professionals have a lot on their plate. In the face of constantly evolving cyber threats they must comply with numerous laws and regulations, protect their company’s assets and mitigate risks to the furthest extent possible.
Security professionals can often be ignorant of the impact that implementing security policies in a vacuum can have on the end users’ core business activities. These end users are, in turn, often unaware of the risk they are exposing the organisation to. They may even feel justified in finding workarounds because they believe that the organisation values productivity over security. The end result is a conflict between the security team and the rest of the business, and increased, rather than reduced, risk.
This can be addressed by factoring in an individual’s perspective, knowledge and awareness, and a modern, flexible and adaptable information security approach. The aim of the security practice should be to correct employee misconceptions by understanding their motivations and working with the users rather than against them – after all, people are a company’s best assets.
Product description
Based on insights gained from academic research as well as interviews with UK-based security professionals from various sectors, The Psychology of Information Security – Resolving conflicts between security compliance and human behaviour explains the importance of careful risk management and how to align a security programme with wider business objectives, providing methods and techniques to engage stakeholders and encourage buy-in.
The Psychology of Information Security redresses the balance by considering information security from both viewpoints in order to gain insight into security issues relating to human behaviour , helping security professionals understand how a security culture that puts risk into context promotes compliance.
Contents
Chapter 1: Introduction to information security
Chapter 2: Risk management
Chapter 3: The complexity of risk management
Chapter 4: Stakeholders and communication
Chapter 5: Information security governance
Chapter 6: Problems with policies
Chapter 7: How security managers make decisions
Chapter 8: How users make decisions
Chapter 9: Security and usability
Chapter 10: Security culture
Chapter 11: The psychology of compliance
Chapter 12: Conclusion - Changing the approach to security
Appendix: Analogies
About the author
Leron Zinatullin (zinatullin.com) is an experienced risk consultant specialising in cyber security strategy, management and delivery.
- GenresNonfiction
82 pages, Kindle Edition
Published January 25, 2016
18 people are currently reading
79 people want to read
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 5 of 5 reviews
October 30, 2021
Often we infosec professionals get caught up in the esoteric details of threats, vulnerabilities, latest APT or eCrime group yet lose sight of the human element and the impact our designs and operations have on the usability of technology solutions.
This book is provides a great reminder about human/user centric design and seeking out and aligning security controls and operations with the intrinsic motivations of users.
Highly recommend this book.
This book is provides a great reminder about human/user centric design and seeking out and aligning security controls and operations with the intrinsic motivations of users.
Highly recommend this book.
January 11, 2023
A great book explains how psychology can help information security
I have heard a lot of security professionals struggle to maintain effective measures, as they consistently see user non-compliance behaviour. This long-standing problem never ends and causes business risks. This book reveals the root cause of the problem and motivates security professionals to rethink our approach to security.
Friends and colleagues tell me that Leron's subjects are interesting and his writing style is easy to follow without taking it to the reader. I was not disappointed with The Psychology of Information Security. I can easily follow the book because it starts with discussing various symptoms of the problem, and then analysing the mentality of users and security professionals to gradually develop the idea of revealing the underlying cause of the problem. It also encourages us to change our attitude when implementing and monitoring security controls. Leron tackles the key to success - how user decision-making processes work and what contributes to the extraordinary success of the security culture, and as a result, organisations will be much safer. That is crucial in today's environment.
Psychology must be an integral part of information security, as a security professional we need to know what and how people think, and how we should use technology to enable employees to perform business tasks in a secure way to help build a secure workplace for the company.
I highly recommend this book to all levels of security professionals. This book is valuable, as it can be used as a guide for management in security strategy and planning and as a guide for security personnel to incorporate the essential elements into the implementation and monitoring of security controls.
I have heard a lot of security professionals struggle to maintain effective measures, as they consistently see user non-compliance behaviour. This long-standing problem never ends and causes business risks. This book reveals the root cause of the problem and motivates security professionals to rethink our approach to security.
Friends and colleagues tell me that Leron's subjects are interesting and his writing style is easy to follow without taking it to the reader. I was not disappointed with The Psychology of Information Security. I can easily follow the book because it starts with discussing various symptoms of the problem, and then analysing the mentality of users and security professionals to gradually develop the idea of revealing the underlying cause of the problem. It also encourages us to change our attitude when implementing and monitoring security controls. Leron tackles the key to success - how user decision-making processes work and what contributes to the extraordinary success of the security culture, and as a result, organisations will be much safer. That is crucial in today's environment.
Psychology must be an integral part of information security, as a security professional we need to know what and how people think, and how we should use technology to enable employees to perform business tasks in a secure way to help build a secure workplace for the company.
I highly recommend this book to all levels of security professionals. This book is valuable, as it can be used as a guide for management in security strategy and planning and as a guide for security personnel to incorporate the essential elements into the implementation and monitoring of security controls.
December 13, 2022
Zinatullin's The Psychology of Information Security illustrates the importance of pragmatic information security practices within the workplace. He utilises some insightful everyday analogies to encourage a better understanding of security, especially for those not in the field of information security, but also encourages information security professionals to understand the frustrations faced by staff as they complete their required tasks.
This book is concise and clear with pragmatic and easy to implement suggestions, combining key business strategy concepts and industry leading information security frameworks. I believe this book is a must for any professional in information security, and highly recommended for anyone interested in this field.
This book is concise and clear with pragmatic and easy to implement suggestions, combining key business strategy concepts and industry leading information security frameworks. I believe this book is a must for any professional in information security, and highly recommended for anyone interested in this field.
June 9, 2017
Zinatullin provides a succinct and intriguing view of the human side of cyber security, one which is often overlooked.
April 23, 2019
Great book. Really enjoyed reading it. Good introduction to information security with some practical tips on improving security culture.
Displaying 1 - 5 of 5 reviews